Hunting for hackers - Google fraud style

A lot of people on the internet are aware of the Google Adsense Fraud algorithms.
But a few people are aware that the algorithms that help Google track down fraudsters are also very useful at hunting the careful and thorough hacker.

Here is the logic that applies both to hunting hackers and hunting fraudsters:

  1. The attacker will make repeated attempts
  2. The attacker has finite and limited resources at his disposal
  3. The attacker is geographically relatively fixed
  4. The attacker will try to be connected as little time as possible
Naturally, both you as well as Google need a good database of events to analyze. Google has their web server logs, and you will have to implement a collective log of firewalls, servers and routers to be on par. Of course, the first question is - what data to collect?

Here is what Google can analyze when hunting adsense fraudsters:
  • Referrer URL of the visitor who clicked on an and
  • IP address of the visitor who clicked on an and
  • Autonomous System (provider) of visitor who clicked on an and
  • Browser and OS version who clicked on an and
  • Time of visit who clicked on an and
  • Length of visit who clicked on an and
  • URL of visited site who clicked on an and
  • Site Content Variation - to hunt for content copy sites
  • Available Cookies on a Google site

Having the same approach, here is what you can analyze when hunting for hackers
  • IP address of connecting machine
  • Autonomous System (provider) of connecting machine
  • Destination service/port
  • Time of session (for TCP connections)
  • Length of session (for TCP connections)

With this information, you can write a program to analyze the following
  • Match nonstandard port attempts from same Autonomous System within given interval (say 1 week)
  • Within the Autonomous System, find all connections from the same IP address or same pool (C class)
  • Look for very short sessions from same AS and/or pools
  • Look for variations of destination ports and protocols from same C class pool
Any matches over 3 events within a week should alert a human security officer to conduct a more detailed analysis.

Talkback and comments are most welcome

Related posts
Portrait of Hackers

Checking web site security - the quick approach

One of the most frequent questions delivered to a security officer is: Is this web site secure?
While a proper answer can be obtained only through a full blown penetration test, there a quick approach which will yield a very good "feel" of the site security.

The approach
In order to obtain relevant results by this quick approach, you need to assess the web site from the following aspects:

  1. Overall server weaknesses
  2. Web server weaknesses
  3. Web site/application weaknesses
The tools
To achieve the quick solution, one must use the proper tools of the trade. Luckily, the tools of the quick approach are free and very efficient:
  1. Nessus - For server weaknesses assessment
  2. Paros - For web server weaknesses assessment
  3. Ratproxy - For web site/application weaknesses assessment
The process
If the target is not owned by your company, be sure to obtain consent from the owners for the scanning. Use the tools in the sequence in which they are presented
  1. Nessus - For server weaknesses assessment - Choose default scan and if possible, choose distruptive scans and let it rip. It generates a HTML report as it scans the target.
  2. Paros - For web server weaknesses assessment - Paros functions as a proxy. Once you run it, reconfigure your browser to use a proxy and select localhost at port 8080 as the proxy. This will send all requests through Paros and let it capture the site. Make sure you just visit the target site. After this, choose Analyze-> Spider, and Analyze -> Scan. After the scan is finished, choose Report -> Last Scan Report to get the HTML report.
  3. Ratproxy - For web site/application weaknesses assessment - Functions much like Paros. Once you run it, reconfigure your browser to use a proxy and select localhost at port 8080 as the proxy. This will send all requests through Ratproxy. Make sure you surf every possible link and use every possible function of the site. Once you are finished, parse the report output through the parser to get the HTML report.
Each of these tools will provide very clear reports. Look for weaknesses that are marked medium and above. Then investigate the reports and recommendations on each to evaluate the actual risk to your company.

When you complete this process, if the web server hosts other sites, use Ratproxy on as many of them as you can, to asses the possible risk to your site via attacks delivered through other sites.

Talkback and comments are most welcome

Related posts
Protecting from Meddling Web Applications
Strategic Choice - Proper Selection of Web Hosting
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Rules for good Corporate Web Presence

WMI Scanning - Excellent Security Tool

When doing a security assessment for a large organization, you need to collect a multitude of information for a proper assessment.
One of the essential elements in a network assessment is systems inventory. While most security personnel would use a port scanner to scan the full IP range of the organization, when analyzing a windows environment there is another tool that should be used in coordination with a port scanner.

The tool
When scanning a Windows environment, a WMI (Windows Management Instrumentation) scanner is a valuable assistant. The tool that i'm using is WMI Asset Logger. The tool is deliver by John J Thomas and is freeware.

The process
The WMI Asset Logger will just require a domain admin username and password, it will query the domain for registered computers or ask for a target computer. Then it will query each computer to give you a nice overview of current computer status on the network.

The results are presented in the GUI, an example presented below.

The benefits
Ofcourse, one can always comment - what are the benefits of using a WMI scanner?

  • Verify inventory delivered by the IT personnel - with WMI AssetLogger you can create a rapid report with which you can compare the report delivered by IT and verify their formal statement.
  • Make rapid checkup of installed OS versions and Service Pack - Quite often, your first priority is verification of installed OS consistency. With WMI you get a birds-eye view of installed OS of all windows machines
  • Create a relevant inventory for comparison on subsequent controls - the report is easily exportable into XLS or Tab delimited file, so it's easy to load results into a database for comparison of subsequent scans (monthly or quarterly)
  • Find primary targets for deep inspection - Based on simple rules and pairing with the results of a port scanner, you can find interesting targets for deeper analysis

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
Creating Your Own Web Server

Is the Server Running - optimal use of redundancy on a budget

When purchasing a server, most companies select a server class computer from a reputable manufacturer. And in this day, usually the servers come loaded with redundant components to optimize server availability and make it more resilient. And yet a lot of these servers fail at the first glitch simply because they are not configured properly. Here is a brief blueprint on how to optimally utilize the purchased and paid redundancy.

First, let's analyze what is usually redundant in a server. If we take into account only the garden variety commercial servers and ignore the hugely expensive fault tolerant machines, here is what you usually get:

  • Redundant Disk drives
  • Redundant Power Supplies
  • Redundant Network Adapters

To achieve a maximum from these elements, you should perform the following steps:
  • Redundant Disk drives - organize them into a RAID configuration. RAID 1 (mirror) is the best in terms of redundancy and speed. But you loose exactly 50% of capacity. RAID 5 (parity) gives you the best trade off between capacity loss and optimal performance. When planning a RAID, look for a server that has a hardware RAID controller. The modern server operating systems can make a RAID themselves, but this way the operating system has to dedicate resources and have specific software to maintain the RAID - thus burdening the main CPU with this task

  • Redundant Power Supplies - connect all power supplies of the server to power lines coming from a different circuit breaker. This will save you a lot of grief if the cleaning lady decides to connect her vacuum cleaner to an outlet connected to the same circuit breaker as the server and overloads it. If possible, connect all power supplies of the server to different Uninterruptible Power Supplies. This way, all UPS systems will help your server ride out the blackout.

  • Network adapters - First, organize the network adapters to work as a failover team. This is realized with specific drivers delivered by the manufacturer, and the driver creates a virtual network adapter. The virtual network adapter is configured with the IP address of the server, and it binds to one of the physical network adapters. Should the adapter loose connectivity, the driver will bind the virtual network adapter to the other physical one, thus reestablishing connectivity. To achieve optimal solution, connect the physical network adapters to several switches which are interconnected via trunk links - thus creating one large meta-switch.

All described actions can be performed by your in-house system administrator, and do not require any special expertise. With these simple steps, you'll achieve excellent availability of your server.

Talkback and comments are most welcome

Related Posts

Software vendor relationship - can you make it better?

Your company bought a corporate software solution. Your teams tweaked, modified and tested to get it up to your requirements. Now, you just continue to use it for the next 20-30 years without problems. Right?

Well, not quite. The marriage between a corporation and a software vendor has a tendency of turning ugly as time passes and here is why:

  • Software Vendor Greed - You are tied up into maintenance and upgrade contract, with a yearly fee. And lately, the largest software vendors are increasing these fees as new sales are dropping. The latest example are SAP and Oracle, and they are actually blaming it on Inflation - Here is a great article on this tendency
  • Customer treatment - After a corporation has migrated it's core data into the new software, and sufficient delta time has passed to make the reverse migration into the old system impossible (usually 3-6 months), the software vendor relaxes. He know that the customer is his for the foreseeable future, since migration back or to another system is way too costly, in time, money and human effort. So the software vendors becomes less responsive, focuses on new deals, and in extreme cases even becomes outright arrogant
  • Software Quality Failures - What initially seemed like a minor issue, can grow into a big ugly monster of a bug as the dataset grows, or as errors creep into the system. And the software vendor may choose not to address the core problem, simply because it is too costly or not really possible to be fixed without a full overhaul. So what usually happens is that your company ends up throwing ever more powerful hardware at the problem in the hope that raw speed will help alleviate the issues.

So, is there a way to kick the software vendor where it hurts and make them work as good as the first time they sold a solution?

There is no silver bullet solution, but the following suggestions can help a lot:

  • Put a big stick in the purchase contract - Include software issues resolution time and change request reply times bound with severe penalties in the original purchase contract. This way, all you need is to enforce this SLA every time the software vendor slips. Pretty soon the software vendor will have to bite the bullet and start dedicating it's resources to you - simply because it will cost them way too much to treat you bad.
  • Put a carrot in front of the software vendor - Place a condition of payment for any new expansion or module purchase with clearance of all outstanding issues in the original software.
  • Always plan a contingency - Have a planned alternative solution. This is the most difficult solution - and the most costly to complete. But when in dire straits look at alternative solutions - especially fully managed (outsourced) alternatives. With these alternatives your organization is the user of a software, and most of the effort of migration in terms of hardware and resources is offloaded to the outsourcing company. Oh, and by the way, once the software vendor understands you have an alternative, quality will definitely improve.

Talkback and comments are most welcome

Related posts

Information Risks when Branching Software Versions

3 rules to keep attention to detail in Software Development

8 Golden Rules of Change Management

Application security - too much function brings problems

Security risks and measures in software development

Security challenges in software development

Designed by Posicionamiento Web