network – Gingercatsoftware

August 2, 2024

Dear George!

So I’ve been waiting for this insane sort of a situation to happen for about 20 years now. That is, a major part / piece of international IT infrastructure failing. I’m of course talking about the recent crowdstrike failure.

With regards Cyber Security, large companies like to pay someone else to take care of the problem for them. It means they can avoid accountability and pass the buck to someone else. Strange how the crowdstrike stock price is tanking!

https://www.google.com/search?q=crowdstrike+stock+price

The crowdstrike issue was / is an example of humans loving the fact that they can pass the buck. It’s also about environments that lack diversity and this creates or leaves open a single point of failure. Many many machines are going to have to be physically restarted and modified to sort this problem, and the answer to all this is something IT tends to shy away from – that being an environment of variation can be a lot more robust.

What do I mean by this? The answer is a variety of operating systems (ie Mac, Linux, Bsd even Android or ChromeOS) both at the server and user level. Not to mention a variety of routers and switches all carefully constructed to operate together. It’s an interesting thought experiment that few people want to consider because, we are all about the bottom dollar! We want things to be as easy as possible!

The crowdstrike insanity is a huge home goal event, an embarrassing hiccup for a number of companies and even your humble author (I had to go and find cash to try to pay for my weekend vino! By the time I came back the store had closed, because even their cash draws no longer could function)!

It will be interesting to see if we learn anything from this large hiccup that took out about 8.5 million machines. Many of which were parts of important infrastructure including including airlines, banks and hospitals.

A few interesting observations. George Kurtz, the CEO of Crowdstrike has gone thru something similar before – In 2010 while he was working for McAffe a similar problem, that caused a global IT meltdown due to a faulty update. CTO at this time was George Kurtz! Who would have thought!

In a number of companies I have worked for we had a rule. Never, ever run out a major update on a Friday! Unless the client is willing to pay for out of hours weekend support. Guess George is still working on that lesson.

Now I want you to put your thinking caps on and go read about what notpetya did. Think about what you might do if we ever have total Cyber warfare!

October 28, 2023

Feed your firewalls

So as a few of you know I’m this crusty old Sys Admin dude. I have a number of machines that I look after, and they are nearly all Linux machines. They are on pretty much twenty four seven, this site is an example of such an endeavor.

But the internet has a problem – it’s the continual attack on any machine (Mac, Windows Linux, Unix or something else) and any service that said machine might be running.

It’s not uncommon for someone to attempt to attack this machine every day. Probably the worst I’ve seen is about 30 thousand attempts in one day. Typically it’s about 1- 3 K, and I have been whittling this number down … there is a way to manage this.

1 Record what the offensive ip address are (auth log is your friend in this instance)
2 Add these offensive address to the firewall “or better” so that they will not ever have any access, even if it to just rattle the locks on the doors of your computers.

Typically the command, to block an ip address is something like this, it’s not a complex thing .

sudo iptables -A INPUT -s 10.1.1.1/32 -j DROP

People are concerned that one may block out legitimate traffic (and admittedly this is important, especially if you do accidentally add your own ip address!…. do you have physical access to the machine? a plan B?). But don’t let me scare you, what I’m talking about is not complex (just take care!).

When you think about it there are 4,294,967,296 usable version 4 ip address. My current block list on this small machine is about 880 of these…. that is about 0.0000204891% of all available ip v4 address. It’s not much and my machine is rather low tech.

But the problem is routers. My own network is based on a router that is controlled by my isp. I don’t really have total control over this machine, but it would be good if I could manage that process a bit. But the isp says no – you can have 3 settings!

The up shot is, if I’m serious about security and running may own server from home … I have to manage the abuse from a machine level or add an additional router! ?

It would be better to manage it from a router level because then every machine behind that router / firewall would be protected. But we haven’t really made this jump. I also understand that segmenting the internet is not a good thing but I’m happy with my 0.0000204891 % reduction. I don’t feel bad about this.

October 7, 2021October 7, 2021

Pegasus spyware and MVT

So just for the heck of it I installed MVT (Mobile Verification Toolkit) the other day, which is a piece of software released by Amnesty international to check if you have Pegasus spyware installed on your phone.

If you haven’t read about it Pegasus spyware is some nasty stuff (It’s developed by the Israeli cyberarms firm NSO Group). It seems it was installed on Jamal Khashoggi’s phone (you know that chap who was assassinated by agents of the Saudi government at the Saudi consulate in Istanbul, Turkey). Also today I read that Sheikh Mohammed used spyware on Princess Haya and five associates in an unlawful abuse of power.

In short this Pegasus spyware is so bad, they recommend that if it’s installed on your phone you should get rid of / destroy the phone. Apparently even erasing the phone from scratch has no effect!

The detection software it’s self is command line interface based (So not for the average user) and it took a bit of mucking about to get it to run. Using a debian linux machine from scratch it took an hour or 2 to get the dependencies and settings on the phone sorted so that the computer could fossick about the phone for any trace of the nasty.

Although it’s satisfying to be able to do this – the need to do more to protect your devices sprang to mind – a quick glance thru some of the documentation came up a number of urls a few of which I’ll list.

free247downloads[.]com
urlpush[.]net
get1tn0w.free247downloads[.]com
infospress[.]com
https://d38j2563clgblt.cloudfront[.]net
https://2far1v4lv8.get1tn0w.free247downloads[.]com

There is more in this document that you might like to grep thru.
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/.

Be warned The [.] should be removed to find the current related ip address. Do this with care, and only use command line interface related commands, do not open any of the above in a browser!

Which brings up the issue of if your running your own network and routers. I’d slap some acl’s on these darn things and the related ip address, as it will give you a little more protection against possible infection.

In addition to this, is that this software seems to use a lot of url redirects. So if your concerned this article on how to stop redirects may be worth reading.

https://www.techadvisor.com/how-to/internet/how-block-webpage-redirects-3690103/

Stay safe people. It seems that the Internet is still the wild wild west.

You can find the mvt software here.
https://github.com/mvt-project/mvt

May 13, 2021

The Darkside

Ransomware, the stuff of your worst nightmares. It seems as if this is getting very serious. The Darkside is a group of hackers that have recently caused a lot of pain. For example in the US the Colonial Pipeline has been shut down – that’s 5,550 miles of pipe for the oil industry. Meanwhile in Washington DC police are also subject to ransomware – they have allegedly offered $100,000 dollars – apparently this was not enough! So not only are they locking up all those machines they are also sifting thru all your data, and exposing that infomation on the net, using it as an extra point of leverage.

As noted in the Kerbs article. “Security firm Emsisoft found that almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020”.

How do you defend against this? So there is a few ways to approach this – one is to air-gap and remove mission critical computers from the internet. Think about it, that payroll machine? That set of servers that run the production plant? Do they really need to be on the internet 24 /7 ? May be you have one cable that you physically connect when and only when you need to (to run OS software and security updates). Maybe you set up a seperate airgaped network for that server and the network of production machines. Silo those machines.

Anti virus software. Use it but configure it so it doesn’t stop your functionality. This can sometimes feel like a black art, and it’s often hard to get the balance right but it is a good idea for a lot of users.

Backup your files. You have that latest pitch? Is it backed up? Can you restore it? Do you know how long it would take to re build your server? Those 20 machines that are the core of your company? Knowing this and the cost of the emergency rebuild process is something that you should be on to.

Get rid of those very old machines! If you have an old machine that’s never been updated it’s a huge risk vector. Spend some time and money now before it costs you big time.

Use your firewall /s! This is a great starting point, if your activley monitoring things use that info – put it back into your firewall. Do you have a mcahine build you maintain? Why not use that firewall info in your machine builds?

What ever you do “Have a plan!” A cyber security plan.

Being able to protect and if necessary re build you network from scratch is one way of beating these crooks – but if you start looking into the detail of what’s involved it’s scary stuff. Stay safe on the interwebs people!

Related reading – Darkside hack
https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

https://en.wikipedia.org/wiki/Colonial_Pipeline_cyberattack

https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack

Washington DC Police
https://www.vice.com/en/article/5dbgbk/washington-dc-police-allegedly-offered-dollar100000-to-hackers-to-stop-leak