Security | /usr/local.com

Is there really that much money in it?

June 9th, 2009 | by matt | security, sysadmin

Jun
09

Disclaimer: I’m not a Comcast subscriber, but I play one on TV

Comcast has me scratching my head. A friend of mine pointed out the following post on the Comcast goofiness. For a long time now they have been messing with DNS and if you happen to screw up and look up a site that does not exist in DNS, you get the Comcast ad page. Many of the tech savvy folks out there simply got around that by putting up their own caching server or using opendns. I know I did when I found out that Mediacom started messing with DNS like this.

Apparently they have upped their game by routing all DNS traffic, no matter what, to their servers. You have no way around this, you WILL use their servers.

I disagree with the first practice of just having a * domain that has everything mis-spelled go to a certain site of yours. Now that they have taken this to a new level, I think it is quickly climbing up the all time ranks of dangerous and stupid.

Really, dangerous? Well, say I’m a person that has highly questionable morals and decides that the best way to attack a competative ISP is to go after their DNS servers. I could try and do some sort of DDoS. Or, the better, more devious approach is to attempt a DNS cache poisoning on their servers. Not always the easiest, but when done properly can have some pretty devastating effects. Now, I trust that Comcast has employed some top notch admins over there so I highly doubt that they are going to let their guard down here, but we’re all humans. We still make mistakes.

Why is this stupid? Honestly, do you click on the ads on one of these pages? Or do you swear to yourself, type it in correctly or load up google and search for what you really want? It just seems like a lot of hassle to implement and all they are really doing is pissing off their customers. They’re trying to milk every last cent out of them and the customers are not stupid. They know what comcast is trying to do. They’re pissed off and eventually they will leave.

The sad part is, other ISPs have already taken up the first goofy solution that Comcast put in place. Its only a matter of time until more people adopt this new tactic. For me personally, I’m going to smack the crap out of the first person that mentions this as a solution that we should deploy. I set up our DNS servers and I refuse to break the internet. I also have a higher respect for my customers. They’re all intelligent, reasonable, and good looking right?

Comments Closed

Business as usual

May 31st, 2009 | by matt | micro$oft, security

May
31

Over the past couple of years, I have been able to tolerate Microsoft a bit more than I used to. When your primary income relies on people purchasing Exchange and OCS accounts that you provide the back end provisioning and automation for, you quickly realize where your bread is buttered.

But this sort of crap really needs to stop. Yes, its their operating system. But that doesn’t excuse installing add-ons to 3rd party applications and disabling the uninstall options. I’m with the writer of this article, this is a great way to get your customers to not trust you and precisely the reason I haven’t had windows on my desktop for 8 years.

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a “service pack” for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs — and not finding any that warranted waving readers away from this update — I told readers not to worry and to go ahead and install it.

source

Comments Closed

Uptime

April 30th, 2009 | by matt | security, sysadmin

Apr
30

Every once in a while one of the LUG lists that I am on decides to have a big dick contest and everyone shows off who has the better uptime. Its actually a way of generating traffic on mailing lists that have greatly suffered any sort of reasonable traffic in a while. Its the same as starting a vi vs emacs flame war. No one really wins, but it always gets people contributing to the list.

The list started off fairly respectable with a few people putting up some pathetic numbers of 15 days or 30 days. Someone threw out a 100+ and then someone managed to get a 400+. I decided it was time to put these folks to shame. I threw down the following:

matt@goober:~> uptime
03:30:14 up 1041 days, 10:41, 2 users, load average: 0.00, 0.00, 0.00

This is not my record, I have had a DNS server here at work at 1500+.

As usual, these email threads will bring out the security conscious folks who believe that if you haven’t updated your kernel, you’re a bad admin. I typically argue that if you are relying on only security patches, you’re probably not a good admin. It should always be a layered approach! Some people use k-splice on their boxes so they can patch the kernel effectively without a reboot. I don’t in this instance.

So, as always, I had to describe some of the security features of this box that would convince these people that I’m not just an ignorant ass. Here is how I do it.

First off, when I build a box, I install the bare minimum. This server happens to be a file server. It doesn’t need to serve up web pages so apache is not installed. It does need to send mail out from its local queue for monit messages so the smtp server is locked down by a firewall running on the server as well as the SMTP configuration is set to only listen on localhost. As I stated, the server has a local iptables FW running on it. It is also protected by a hardware firewall. I keep the various services the server provides up to date and patched up fully. I load minimal modules in the kernel. It is the bare bones of what it needs. In the instance where I can unmount, patch and remount the module, I do it. Other than that, I can ignore this box.

Do I do this for every server that I admin, no. At my current job we have the resources where just about every service that I role out is built in some sort of a high availability cluster. If I need to take down a node to patch it, I can. This server that I haven’t taken down in 2.5 years doesn’t have that luxury. Its also in California. So if I had a kernel update go south on me, I have to walk a buddy through getting it back up…over the phone. My buddy has some skills on the computer, but not necessarily a lot of Linux skills. So imagine walking your mom through the Linux command line. Scared yet?

I’m not trying to promote not patching your kernel. But what I am trying to promote is in some instances, maybe even in a lot of instances, you can get by with _not_ updating your kernel every time a new one comes out. Its about cost/benefit analysis. Not many sheople realize that it is actually a part of their job. Sometimes you don’t have $20K to put in a solution that will never go down. EVER! Sometimes you have a couple hundred bucks and you need to provide something that is stable, secure, and hassle free. And that’s what I have provided, going on 1042 days =)

Comments Closed

How the Conficker Problem Just Got Much Worse

April 5th, 2009 | by matt | security

Apr
05

On the surface, April 1 came and went without a peep from the dreaded Conficker megaworm. But security experts see a frightening reality, one where Conficker is now more powerful and more dangerous than ever.

In the first minute of April 1, Conficker did exactly what everyone knew it was going to do: It successfully phoned home for an update. And while it was fun to imagine what nasty payload that update may have included (it was fun, wasn’t it?), the result was not outwardly catastrophic; rather than a blueprint for world domination, the update contained instructions on how to dig in even deeper.

“The worm did exactly what everyone thought it was going to do, which is update itself,” security expert Dan Kaminsky, who helped develop a widely-used Conficker scanner in the days leading up to April 1, told us. “The world wants there to be fireworks, or some Ebola-class, computers-exploding-all-over-the-world event or God knows what, but the reality is…the Conficker developers have cemented their ability to push updates through any fences the good guys have managed to build in February and March.”

And here’s why that is deeply, deeply scary. As we explained, Conficker has built a zombie botnet infrastructure by registering hundreds of spam DNS names (askcw.com.ru, and the like), which it then links up and uses as nodes for infected machines to contact for instructions. In its earlier forms, Conficker attempted to register 250 such DNS names per day. But with the third version of the software, the Conficker.c variant which has been floating around for the last month or so, the number of spam DNS takeovers was boosted to 50,000 per day—a number security pros can no longer keep up with.

source

Yikes! This paints a pretty scary picture.

Comments Closed