A Cure for Electronic Theft?


What if we created  a new electronic currency a-la Bitcoin with a twist.   Let’s start by taking an idea from the Federal Government, and put a water mark on our personal funds , something unique that signifies who legally possesses the currency. Cattle ranchers do this with a brand so nobody steals their cattle.  This has worked pretty well for a few hundred years right ?

With our new personal watermark, suppose somebody breaks into your bank, and wires all your money to some idiot in Russia. In today’s world the only way to find that money is to follow the trail, and that takes a huge effort from a banking forensics person, working with International governments.  The money may travel so fast it may not be possible to recover. Now, suppose the funds had an electronic tag that could not be altered by a criminal.   For example currency in your possession  has  a public private encryption key, and only you can authorize a change in possession.

I am not going to spend any more effort on the mechanics of currency ownership, suffice to say it could be done in many different ways. The problem with my proposed solution is the resistance it will meet from all sides.

  • The privacy crowd, will beat the drum and scare ignorant people  into thinking that the government will know how much money they have. The flaw with this argument is , unless you are underground and dealing in cash now, every bank transaction you have ever made is visible to the government. In essence, there is no net change here in terms of privacy. I’d also be fine with an optional cash currency for those that want to opt out, I don’t really care. For tax paying citizens with nothing to hide there is no new privacy downside to watermarking your funds.
  • The security industry will backdoor fight this tooth and nail. As I alluded to in a previous article , the security business has grown to a magnitude of scale well beyond the assets they protect. In other words the security industry is extorting more funds than the actual threat they are protecting you against.
  • Mexico, a country that does 80 billion plus in the drug trade, has no interest in traceable funds. Someplace, some-where, they  will lobby against this change, under the guise of some legitimate reason.
  • Politicians and their donors. Despite the rhetoric, there is absolutely no incentive to make this process transparent.

IT Security Business Is Your Frenemy


Is there a security company out there working in conjunction with a hacker, possibly creating the demand for their services? The old Insurance protection shakedown turned high tech? And, if so, how would you know?  I try to make it clear to our customers  that we are not in the security business for this very reason, but for most IT equipment and consulting companies security is becoming their main business driver.

If the world’s largest automaker will commit fraud to gain an advantage, there must be a few security companies out there that might rationalize breaking into a companies network, while at the same time offering them security equipment in order to make a sale.  Perhaps they are not meeting their sales goals, or facing bankruptcy, or just trying to grow. The fact is, IT investment in security is big business.   The train is rolling down the tracks, and just like our war on drugs, increased spending and manpower seems to have no measurable results.  Who makes more money, companies that make bank vaults, or the criminals that attempt to rob banks? I bet, if you add up all the revenue gleaned from stolen credit cards or other electronic assets, that it is pennies on the dollar when compared to spending on IT security.

Yikes I Have Been Hacked


I had just opened up my network to outside requests ,thinking this will only take a few minutes.  The idea was to  attack my home network from the outside, blasting it  with endless loops of rapid queries from external servers in cyber space, thus simulating a DDOS attack  .    It turns out I was not alone in attacking my Network .

When I went to my monitor DDOS monitor screen to see my attack, I saw  the chart below.   All those Source Ports showing  22 are the result of a server on my network , randomly attempting to login to computers outside my network .  How ironic , while testing my own DDOS software from an outside attack , I find out that one of my servers has been hijacked to do the dirty work for some other hacker.  I am only showing about 46 attempts  in the table below, but all in all ,there were about 450 of them.  They  appeared all of a sudden out of nowhere.  And then, Comcast shut me down, when I hit their security circuit breaker.  Or so I surmised, because this is not the first time this has happened to me, and I usually get  a call from Comcast telling me to run my virus software.  You know how you are not supposed to talk to strangers ? Well I had been getting these calls out of the blue from somebody claiming to be “Comcast” security , and the sounds in the background during the scratchy call were like one of those Indian boiler plate call centers … so I had been ignoring them, just humoring these people.  But perhaps they really were Comcast ? Or perhaps this was just the coup do grace from the hacker pretending to be Comcast after orchestrating the attack, in order to gain my trust and get my bank account ?  Like a bad Mission Impossible plot I don’t know who to trust anymore.
Index     SRCP    DSTP    Wavg    Avg       IP1           IP2           Ptcl  Port  Pool  TOS
0     46762      22   203   336    191.7.193.69   192.168.1.130  TCP   1   2    1
1     54211      22    29    90    85.25.211.119   192.168.1.130  TCP   1   2    1
2     52734      22    15     0    174.159.244.177   192.168.1.130  TCP   1   2    1
3        22   33388    42     0    192.168.1.130   93.97.181.70  TCP   2   2    1
4        22   49398   238   277    192.168.1.130   125.137.155.50  TCP   2   2    1
5     49184      22    66   152    192.81.170.254   192.168.1.130  TCP   1   2    1
6        22   49184   163   374    192.168.1.130   192.81.170.254  TCP   2   2    1
7     51722      22   142   214    217.92.189.104   192.168.1.130  TCP   1   2    1
8     38133      22    11     0    146.155.249.71   192.168.1.130  TCP   1   2    1
9     55232      22    93   400    178.49.172.175   192.168.1.130  TCP   1   2    1
10     50373      22    20    40    190.81.51.11   192.168.1.130  TCP   1   2    1
11        22   40073    21    35    192.168.1.130   31.45.215.117  TCP   2   2    1
12        22   39950    11    40    192.168.1.130   101.251.207.162  TCP   2   2    1
13        22   51889     9     0    192.168.1.130   169.236.135.241  TCP   2   2    1
14        22   53866   204  1036    192.168.1.130   95.211.215.206  TCP   2   2    1
15     57596      22    93   236    207.244.67.170   192.168.1.130  TCP   1   2    1
16        22   51971   188   384    192.168.1.130   66.242.228.2  TCP   2   2    1
17        22   53617   328   580    192.168.1.130   37.228.133.94  TCP   2   2    1
18     52574      22   206   338    177.21.237.77   192.168.1.130  TCP   1   2    1
19        22   56081    23    93    192.168.1.130   216.104.36.94  TCP   2   2    1
20        22   41126   213   771    192.168.1.130   176.31.199.232  TCP   2   2    1
21        22   33853   209   384    192.168.1.130   71.11.128.190  TCP   2   2    1
22        22   52185   282  2369    192.168.1.130   74.220.208.72  TCP   2   2    1
23        22   54224   224  1032    192.168.1.130   46.32.230.170  TCP   2   2    1
24        22   52065   710   806    192.168.1.130   49.212.12.217  TCP   2   2    1
25     43568      22    28    88    52.2.123.169   192.168.1.130  TCP   1   2    1
26        22   39032   200   558    192.168.1.130   199.34.242.73  TCP   2   2    1
27     53968      22   148   265    37.228.133.94   192.168.1.130  TCP   1   2    1
28     39950      22    17    60    101.251.207.162   192.168.1.130  TCP   1   2    1
29        22   44785   320   464    192.168.1.130   87.230.40.94  TCP   2   2    1
30     41889      22    13     0    70.4.134.198   192.168.1.130  TCP   1   2    1
31        22   35743   233   368    192.168.1.130   141.105.174.210  TCP   2   2    1
32        22   48689   298   373    192.168.1.130   12.11.100.194  TCP   2   2    1
33     36165      22   226   293    200.170.215.154   192.168.1.130  TCP   1   2    1
34     44991      22    53   146    191.5.224.79   192.168.1.130  TCP   1   2    1
35     38500      22   180   345    192.227.164.167   192.168.1.130  TCP   1   2    1
36     50944      22     8     0    199.174.12.17   192.168.1.130  TCP   1   2    1
37     39511      22   168   319    104.128.117.32   192.168.1.130  TCP   1   2    1
38     53820      22    16    30    95.84.153.61   192.168.1.130  TCP   1   2    1
39     47030      22   225   261    190.161.86.105   192.168.1.130  TCP   1   2    1
40        22   38500   367   735    192.168.1.130   192.227.164.167  TCP   2   2    1
41     33165      22   119   248    138.94.144.250   192.168.1.130  TCP   1   2    1
42     51185      22    18    60    46.105.163.187   192.168.1.130  TCP   1   2    1
43     48472      22    18    60    72.249.105.159   192.168.1.130  TCP   1   2    1
44     32890      22    89   174    95.177.200.94   192.168.1.130  TCP   1   2    1
45     57725      22    75   180    88.11.129.198   192.168.1.130  TCP   1   2    1
46        22   55358  1072  1373    192.168.1.130   138.91.57.190  TCP   2   2    1

How to get Access to Blocked Internet Sites and Blocked Video Services


Have you ever taken a flight where video access is blocked?

Perhaps you are in a European Country where a well known provider blocks Skype to force you to use their phone service?

All you need to get around these suspect practices is to use a standard VPN, and it is easier than you think. I am on a flight right now and am going to try watching a movie. I am using IPvanish, but there are many VPN services you can choose from, and use for just a few dollars a month.

Just today, I was trying to restore my iPad to factory defaults. I supposedly have 20 megabit business service from Comcast.  While running the restore, I noticed that my download speed was running at about 200kbs max, and yet speedtests were showing no problems with my connection. So I rebooted my computer, started up my VPN, and found out that I am not getting my full 10 megabits.  What can I infer from this ? Well, I can only assume that Comcast has some sort of bandwidth control and is identifying my Apple device download and slowing it down. I was able to repeat this test.

By the way, I did get to watch a movie on my flight – success!  And that was a much needed break from work.

Note: There is one more trick required to un-block for some VPN services and some  streaming sites.  You may need to hide your DNS activities as well, since some blocking services will also block the DNS request before you even get to the site.

For example, the VPN tunnel will hide what you are doing from anybody, but the initial lookup service to get the site may not be hidden, because you are likely using by default your provider(s) DNS service. So, you should also set your DNS service to a third party site other than your provider after you fire up your VPN. In this way DNS requests should also be encrypted.

Firewall Recipe for DDoS Attack Prevention and Mitigation


Although you cannot “technically” stop a DDoS attack, there are ways to detect and automatically mitigate the debilitating effects on your public facing servers. Below, we shed some light on how to accomplish this without spending hundreds of thousands of dollars on a full service security solution that may be overkill for this situation.

Most of the damage done by a targeted DDoS attack is the result of the overhead incurred on your servers from large volume of  fake inquiries into your network. Often with these attacks, it is not the volume of raw bandwidth  that is the issue, but the reduced the slow response time due to the overhead on your servers. For a detailed discussion of how a DDoS attack is initiated please visit http://computer.howstuffworks.com/zombie-computer3.htm zombie-computer-3d

We assume in our recipe below, that you have some sort of firewall device on your edge that can actually count hits into your network from an outside IP, and also that you can program this device to take blocking action automatically.

Note: We provide this type of service with our NetGladiator line. As of our 8.2 software update, we also provide this in our NetEqualizer line of products.

Step 1
Calculate your base-line incoming activity. This should be a running average of unique hits per minute or perhaps per second. The important thing is that you have an idea of what is normal. Remember we are only concerned with Un-initiated hits into your network, meaning outside clients that contact you without being contacted first.

Step 2
Once you have your base hit rate of incoming queries, then set a flag to take action ( step 3 below), should this hit rate exceed more than 1.5 standard deviations above your base line.  In other words if your hit rate jumps by statistically large amount compared to your base line for no apparent reason i.e .you did not mail out a newsletter.

Step 3
You are at step 3 because you have noticed a much larger than average hit rate of un-initiated requested into your web site. Now you need to look for a hit count by external IP. We assume that the average human will only generate at most a hit every 10 seconds or so, maybe higher. And also on average they will like not generate more than 5 or 6 hits over a period of a few minutes.  Where as a hijacked client attacking your site as part of a DDOS attack is likely to hit you at a much higher rate.  Identify these incoming IP’s and go to Step 4.

Step 4
Block these IP’s on your firewall for a period of 24 hours. You don’t want to block them permanently because it is likely they are just hijacked clients ,and also if they are coming from behind a Nat’d community ( like a University) you will be blocking a larger number of users who had nothing to do with the attack.

If you follow these steps you should have a nice pro-active watch-dog on your firewall to mitigate the effects of any DDoS attack.

For further consulting on DDoS or other security related issues feel free to contact us at admin@apconnections.net.

Related Articles:

Defend your Web Server against DDoS Attacks – techrecipes.com

How DDoS Attacks Work, and Why They’re Hard to Stop

How to Launch a 65 gbps DDoS Attack – and How to Stop It

Notes from a cyber criminal


After a couple of recent high profile data thefts,   I put the question to myself,  how does a cyber thief convert a large amount of credit cards into a financial windfall?

I did some research, and then momentarily put on the shoes of a cyber thief, here are my notes and thoughts:

I am the greatest hacker in the world and I just got a-hold of twenty million  Home Depot debit cards and account numbers. What is my next move. Well I guess I could just start shopping at Home Depot every day and maxing out all my stolen account cards with a bunch of Lawn Mowers , Garden Hoses, and other items. How many times could I do this before I got caught ?  Probably not that many, I am sure the buying patterns would be flagged even before the consumer realized their card was stolen , especially if I was nowhere near the home area code of my victim(s).  And then I’d have to fence all those items to turn it into cash. But let’s assume I acted quickly and went on a home depot shopping spree with my twenty million cards.  Since I am a big time crook I am looking for a haul I can retire on, and so I’d want to buy and fence at least a few hundred thousand dollars worth of stuff out the gate. Now that is going to be quite a few craig(s) list advertisements, and one logistical nightmare to move those goods, and also I am leaving a trail back to me because at some point I have to exchange the goods with the buyer and they are going to want to pay by check . Let me re-think this…

Okay so I am getting smarter, forget the conventional method , what if I find some Russian portal where I can just sell the Home Depot cards and have the funds paid in Bitcoin to some third-party account that is untraceable.  How many people actually have Bitcoin accounts, and how many are interested in buying stolen credit cards on the black market, and then how to insure that the numbers have not been deactivated ? Suppose I sell to some Mafia type and the cards are not valid anymore ? Will they track me down and kill me ? Forget the Bitcoin,  I’ll have to use Paypal , again leaving a trail of some kind.  So now how do I market my credit card fencing site, I have 20 million cards to move and no customers.  A television advertisement , an underworld blog post ?  I need customers to buy these cards and I need them fast , once I start selling them Home Depot will only take a few days to shut down their cards . Maybe I can just have an agent hawk them in Thailand for $3 each , that way I stay anonymous, yeh that’s what I’ll do whew , I’ll be happy if I can net a few thousand dollars.

Conclusion: Although the theft of a data makes a great headline and is certainly not to be taken lightly , the ability for the crook(s) to convert bounty into a financial windfall, although possible is most likely a far more difficult task than the data theft . Stealing the data is one thing, but profiting from it on anything but the smallest scale is very difficult if not impossible.

The real problem for the hacked commercial institution is not the covering the loss of revenue from the theft, but the loss of company value from loss of public trust which can mount into the billions.

Although my main business is Bandwidth Control I do spend a good deal of thought cycles on Security as on occasion the two go hand in hand. For example some of the utilities we use on our NetEqualizer are used to thwart DOS attacks.  We also have our NetGladiator product which is simply the best and smartest tool out there for preventing an attack through your Website.

10 Web Application Security Tools You Can’t Do Without


By Zack Sanders – Director of Security – APconnections

Since initiating our hacking challenge last year, we’ve helped multiple organizations shore up security flaws in their web application infrastructure. Proper web application security testing is always a mix of automated testing and manual testing. If you just run automated tests and don’t have the knowledge to interpret the results, the amount of false positives thrown at you will result in little value. If you don’t know the ins and outs of common vulnerabilities, manual testing alone will get you nowhere. With the right mix, you can create a baseline analysis from the automated tests that will help determine what areas of the application should be explored further manually.

Here are some of the tools I use the most when assessing a new web application along with brief descriptions*:

1) Metasploit – http://www.metasploit.com/ – Metasploit is an entire framework for penetration testing and security analysis. The tools are all open source and the community behind the software is outstanding.

2) DirBuster – http://sourceforge.net/projects/dirbuster/ – DirBuster is a directory brute force tool that allows you to create a tree view of a web application’s file system.

3) Nessus – http://www.tenable.com/products/nessus – Nessus is a great tool for identifying server-level vulnerabilities.

4) John the Ripper – http://www.openwall.com/john/ – JTR is a password cracker tool.

5) Havij – http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/ – Havij is an advanced SQL injection tool that provides a GUI for conducting injection tests.

6) Charles Web Proxy – http://www.charlesproxy.com/ – Charles is an awesome tool that allows you to modify requests and responses in web applications.

7) Tamper Data Firefox Add-On – https://addons.mozilla.org/en-us/firefox/addon/tamper-data/ – Like Charles, this tool also allows you to modify requests.

8) Skipfish – http://code.google.com/p/skipfish/ – Skipfish is a web application security vulnerability scanner that will scan an entire website for issues. It results in quite a few false positives but also legitimate issues.

9) Firebug – https://getfirebug.com/ – This is a debugging tool for web developers but it is useful for security professionals in that you can easily see what is happening behind the scenes.

10) Websecurify – http://www.websecurify.com/ – Websecurify is an entire security environment meant for assisting in the manual testing phase.

These are only some of the tools out there for security professionals who are testing web applications. There are many more. But, they aren’t just available to the good guys. Bad guys have access to them too and are using them in attacks all the time. Let us know if we can run a security assessment for your organization using the same tools hackers do. The investment will be well worth it.

Contact us today at: ips@apconnections.net

*Use these tools at your own risk and only on websites you have permission to test.

%d bloggers like this: