I don’t think that I’ve had this much adrenalin pumping through my system on a Saturday morning in quite a while. My girlfriend signed into her email (as she does most mornings), to discover an email from eBay Live Support asking for a code. She called me over and a few seconds later the email vanished. What happened after that point is a blur of password resets, both her and the would be hacker trying to gain control of the hotmail and through it the eBay account.

There were paranoid moments when passwords wouldn’t work, but in the end she’s still in control of the accounts. Just about every account she owns has now had the password and details changed to help protect it.

It’s intrusive though. How exactly did the attacker break into the account? Not phishing, Cherie is well aware of those type of malicious emails. Guessing the security questions? Maybe.

That raises other concerns though, email addresses become repositories of knowledge for our online lives. Just about every account you sign up for online has to have an email account linked to it, that means many details about your online life are there in fragments. We’ll never know exactly what the hacker had access to (albeit briefly).

I’m personally going to be reviewing all my accounts to make sure that they’re secure, and I’d advise you to do the same.

(And I’m hilarious)

Seems that simple lessons don’t get learned. Don’t get get me wrong, its very hard to protect every aspect against hackers who try to pry they’re way into your site. Storing passwords in plain-text is just dumb though. Even if the passwords for your own site are hashed, the proliferation of storing third party login details (which you could still encrypt with a symmetrical key) is a time bomb.

RockYou is just the latest site on the internet to learn this hard lesson. Supposedly the hacker is one of the good guys, but there is no guarantee that someone else didn’t get the information as well. It’s an argument for doing away with passwords altogether, how long will it be until we can use public/private key authentication with websites. It is now accepted best practice with SSH, since the advent of widespread SSH bruteforcing.

Private key authentication solves a lot of the problems with websites storing password information, the hacker would have gained nothing besides the ability to verify users were who they claimed to be.

I’ve been quiet over the Christmas/New Year period, that doesn’t mean that I’ve left my computer alone on the contrary I been working on some projects that have been waiting for quite a while. The most important of which is a tool to fight back against the hackers and bot networks that have been trying (unsucessfully) to bruteforce servers I own or manage for the last 2-3 years. I have seen other posts about the rise of bruteforcing attacks on ssh servers recently, and the added complexity of those attacks coming from multiple locations (botnet coordinated).

Bruteforce attacks on SSH are nothing new, I remember seeing them as far back as 2005. At the time I was managing about 25 linux servers and the bruteforce attacks would cause accounts to get locked out (which I would then have to unlock). For the most part we dealt with the problem by having a strict hosts.allow/hosts.deny setup (and of course auditing passwords for complexity). Beyond that, I was somewhat powerless to do anything about the attempts.

These days I run a dedicated server and a couple of virtual servers, and I was seeing the same kind of attempts in my logs. Unlike managing someone elses servers though I have the ability to actively fight back against the attacks. So I am.

I started using ‘kojoney’, an SSH honeypot, but found that while it was fun watching the hackers login and try and compromise a sandbox, it was not what I wanted. So I modified kojoney to log the password used as well (in addition to the username) and setup a ruby on rails project that would record this information, along with the originating IP address, and attempt to login to the IP address with the username/password combo. I called the project mirror, a sort of if you bruteforce me it’ll bruteforce you kind of thing.

Then I left it alone. I hadn’t expected to see any success. But when I checked the logs a few days later I’d successfully logged into a host in poland. It was a non priviledged account but I backed up everything that the people had uploaded, and changed the password on the account.

A few days later I scored another server, this time a root account. I decided that rather than manually logging in and disabling their access I would go one step further and setup capistrano tasks to secure the box (as much as you can a box that has been compromised at a root level). Not only that but the ssh bruteforcer that had been running on this host had gotten 2 more vulnerable root accounts.

There is typically 2 pieces of software installed on the box. A ssh bruteforcer, and a botnet client, at times there are multiple copies of both, if the host has been compromised multiple times.

So far its ME 4 to Crackers 0. I know the battle isn’t over, and that what I’m doing is somewhat grey, but I don’t know of a more ‘white hat’ way of helping stop hackers. If those four servers are managed by people that a *clearly* stupid, then someone has to step into the breach. Now if only I could find somewhere to send the invoice for my time.

I will provide anyone that is a legitimate security researcher with more details (upon request), including copies of the botnet and ssh-scan software (which shouldn’t be to hard to get with a regular honeypot anyway).

Without debating whether hackers are good, bad or simply a myth created by companies that need extra money, the common garden variety of hacker has a lot to share with those of us that are less computer literate. Hackers spend inordinate amounts of time delving into computers, and more to the point looking at computer security. Rather than fearing the hackers, we can take a page from their book, and focus a little on how to secure your computer.

Antivirus
It sounds simple, and it is, but having a virus scanner on your computer is the first step towards securing it against intrusion. While not all viruses breach security, there are plenty that do, sending documents from your computer to complete strangers, or simply reporting passwords. It’s a good enough reason to download an up-to-date virus scanner.

Its important to note that for a virus scanner to be effective, it needs to be kept up to date. If it hasn’t got the latest patterns/definitions then you might as well not have it at all. There are plenty of virus scanners out on the market, and the one you use is about preference, the URLs below should help you out:

http://www.symantec.com

http://www.trendmicro.com

http://www.grisoft.com
Spyware Removal Tools
One of the most annoying aspects of the internet today is Spyware/Adware. Not only do they cause the computer to stop functioning correctly, various types of spyware also funnily enough, spy on you computer usage. Removing them can be a stressful and time consuming effort, the links below are useful in removing spyware, and protecting your computer against further infection.

http://www.safernetworking.com

http://www.lavasoftusa.com
Firewalls
Perhaps the most misunderstood piece of technology on the planet, the firewall is a piece of software that sits between you computer and the rest of the network, or in bigger setups, between the local network and internet. Firewalls work by stopping traffic coming into a given area, while still allowing traffic to go out.

For the price of a cheap computer you can setup your very own linux firewall, around your network, customising it down to the finest details as to what you want to let in and out. It is an important step, but one that most people do not need.

The links below are for firewall applications that can be installed on your computer and used to filter both incoming traffic, and outgoing traffic generated by applications. This will help prevent attackers from gaining access to your computer.

http://www.agnitum.com
http://www.zonelabs.com

http://www.tinysoftware.com
http://www.kerio.com
http://www.sygate.com

Encryption

Less used than even the firewall, encryption is where you encrpt files and text so you can securely pass it through the internet, without the risk of anyone snooping in on your information. There are many tools for encrypting information, perhaps the most well known is PGP or pretty good privacy, which can be used to encrypt both files on your computer and also emails that you send.

Conclusion

The above applications are not the end of your security efforts, to tell you the truth, they are only the beginning. Having a secure computer is about methodology, if you are consciously trying to secure your computer, then you will be aware when you do something that makes your computer less secure. There is not harm in being a little paranoid, and certainly no harm in protecting your assets against unwanted intrusion, on that issue, hackers have their stuff sorted out.