Wednesday, May 2, 2018
Beware the signs of a potentially malware-infested PC:
You wait and wait . You might ask yourself:
“My homepage has changed and I don’t remember doing it myself”
If you noticed this unusual behavior or a new toolbar showing out of nowhere, or you’ve been redirected to a different web address than the one you’ve initially accessed, they could be signs of a malware infection. It usually happens when you visit a website and you accidentally click on a link or a pop-up window. This triggers the unwanted software to download and install on your device. Its effects are not only annoying, but also malicious.
What to do? Run a complete scan with your security software as soon as possible. Why? Because these type of threats don’t go away easily.
Thursday, March 23, 2017
Docker is a software container platform. System administrators use Docker to run and manage apps side-by-side in isolated containers to get better compute density. Companies use Docker to build agile software delivery pipelines to ship new features faster, more securely and with confidence for both Linux and Windows Server. Developers use Docker to eliminate “works on my machine” problems when collaborating on code with co-workers.
What is a Container?
Using containers, everything required to make a piece of software run is packaged into isolated containers. Unlike VMs, containers do not bundle a full operating system - only libraries and settings required to make the software work are needed. This makes for efficient, lightweight, self-contained systems and guarantees that software will always run the same, regardless of where it’s deployed.
Additionally, in both cases that environment is represented as a binary artifact that can be moved between hosts. There may be other similarities, but these are the two biggest.
Docker Datacenter on Docker Engine includes service discovery and load balancing capabilities to aid the devops initiatives across any organization. Service discovery and load balancing make it easy for developers to create applications that can dynamically discover each other. Also, these features simplify the scaling of applications by operations engineers.
Docker Datacenter allow network and sysadmins to provide secure, scalable, and highly efficient network internally and externally through Service Discovery and Load Balancing. Service discovery is an integral part of any distributed system and service-oriented architecture. As applications are increasingly moving towards microservices and service-oriented architectures, the operational complexity of these environments can increase. Service discovery will register the service and publish its connectivity information so that other services are aware of how to connect to the service.
Internal DNS server:
Monday, November 7, 2016
How to fix millions of vulnerable IoT devices used it the Miari DDoS attacks.
15 years ago I received the call from my friend Don Jensen. He was the head IT guy for Granite Construction, Heavy Construction division. He had four remote sites infected with the Nimda worm.
Wikipedia sums it up here:
"Nimda is a file infecting computer worm. It quickly spread, surpassing the economic damage caused by previous outbreaks such as Code Red. Nimda utilized several types of propagation techniques and this caused it to become the Internet’s most widespread virus/worm within 22 minutes.
The worm was released on September 18, 2001. Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000 or XP and servers running Windows NT and 2000.
The worm exploited various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server."
It was affecting all of the telephone service at the remote sites (Las Vegas, Minneapolis, Dallas, and Tampa). The phone systems were running Cisco Communication Center on top of Windows 2000 server. Microsoft Internet Information Server administration GUI was the admin control console.
What a mess. I was at my home in California, and traveling to each remote site was not possible.
This HAD to repair remotely, so I started to investigate what made Nimda tick, and found a solution. (This advisory from CERT was really helpful.)
I used it against itself. I "hacked" each of the Windows servers using the exact same security hole that made Nimda possible: I opened a browser window, plugged in the IP address of the infected server, and began typing commands, starting with "CMD.EXE".
After the massive DDoS atack in October 2016, I started to think about how to remotely patch the millions of video cameras, DVR's, and doorbells that were being compromised by Mirai and downloaded the source code. I think this just might work, but it may not be legal to remotely patch and upgrade all the IoT devices in the world.
Monday, October 24, 2016
Mirai botnet takes down major websites with massive DDoS (Distributed Denial of Service) attack.Last Friday, DNS provider Dyn was hit with the most powerful distributed denial of service (DDoS) attacks ever recorded, which knocked major websites offline for several hours,
DYN provides services like CloudFlare that Internet companies use for external "cloud" hosting, DNS, load balancing,Traffic Management, and border / gateway malware protection. You can read the DYN blog here:
|A DDoS attack is an Distributed DoS attack (DoS is short for denial of service).|
How to shut down major web sites like Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.The DDoS attack on Dyn last Friday was caused by a Mirai botnet made by tens of thousands of Internet of Things (IoT) devices, mainly because of users' failure to change default passwords on low cost IP cameras and routers. In the attack on DYN's site the hackers were able to generate over 600 gigabits per second of network traffic. Analysts have confirmed that the attack was caused by hackers using the compute power of poorly secured IP cameras, home controllers and other IoT devices to flood Dyn’s servers with data. While it has been known for some time that IP cameras are vulnerable, this is the first time we've seen this vulnerability harnessed on such a large scale with three DDoS attacks within a matter of hours, between 60,000 and 600,000 home networks connecting simultaneously formed a massive attack of 600 gigabits per second. This came from DVR's, IP cameras and other devices with the default passwords left in place after the installation. Some of these devices have software or “firmware” updates to fix security vulnerabilities that the vendor discovers. Few hardware makers do a good job of making this process simple and easy for users, or alert customers to the availability of firmware updates.
Once installed, Mirai scans the internet. When it finds targets, it attempts to login using many well-known passwords. Once Mirai finds and infects a new device, it then contacts the hacker controlling these devises. It has now become a botnet under the hacker’s control.
Bots (B) communicating with the Mirai C2 (C) were found scanning across TCP port 23 and port 2323 as well as performing DDoS attacks against various victims (D). Bots sent one-way traffic towards a report server (R) (report.santasbigcandycane.cx), which were the IP addresses and credentials of the vulnerable hosts. This was hypothesized due to the fact that several other IP addresses (L, loaders) would communicate with IP addresses that were previously scanned and later identified as bots. This communication contained bi-directional traffic on port 23, sometimes with large packet sizes, signifying interaction with the telnet service. We observed these same victims accessing a different IP address (M) on port 80 with large packet sizes. This IP address hosted the Mirai binary itself and the large packet sizes were due to the victim downloading the malware. After downloading the binary and finishing interaction with the loader, the victim IP would begin bot activity. Throughout our investigation we identified a long-lived IP connection from a TOR exit node to the report server (R), which we believe may have been the botnet author controlling the botnet. With the botnet established, it was being sold to various users (U) who used an API hosted on the C2 server (C) to order DDoS attacks.
Thursday, December 3, 2015
Three Generations of Diagramming Software
Static Diagrams with Visio
Neatly drawn but cumbersome to create and update.
Static Diagrams with Auto-Discovery
Difficult to scale and overly complex to setup.
Highly scalable, built on-demand, and always Up-to-date.