For anyone not familiar with what's going on with it, you can get the current back story here.
I do apologize, yes that is my own blog, and I hate to self promote my own writings. I just wrote about it in my infosec blog earlier, since its a pretty big deal and many mainstreamers who use P2P or may just care about the (IMO) unethical business practices had not heard about the story or series of events since July.
September 17 – 23, 2007
ChicagoCon brings together the biggest security names under one roof for a week of training like no other. Not just another boot camp or hacker con, ChicagoCon adds value to your training dollars by also providing top instructors, well known certifications, keynotes, evening presentations, hacking demos & contests as well as gift bags for all. 11 courses including CISSP, CEH, CHFI, Advanced Hacking, Cisco, SOX, Security+, Linux+ and more. From the novice, to the ultimate techie, to the CISO chair... everyone interested in a career in security will find something at ChicagoCon, your one-stop shop for security training and certification. Keynotes: John C. Dvorak, Steve Hunt, Lance Spitzner, Symantec, DoD. Presented by www.ethicalhacker.net.
I only host a few personal websites and one e-mail domain with just a couple e-mail accounts. I also have a POP3 connector to pull e-mail in from an ISP for an old e-mail address. I run it in my basement on a DSL with static, public IP addresses with a Cisco router acting as my firewall. I am also running Symantec Corporate Antivirus 8.1 and I have Windows Intelligent Messaging Filter configured. I believe I am up to date on all my service packs and updates. I have done basic thing like using hardened passwords and disabled the default administrator account. I admit that I have not changed my passowrd in a while but I changed them today.
One of the main things I am concerned about is unauthorized users sending mail through my server. My girlfriend and I am really the only people that would normally send mail from one of several machines that would all be on the same local IP subnet. I primarily use Outlook to manage my mail, but I have also used, outlook express, netscape, thunderbird and OWA. The main symptom of how i know is that I have a security problem is that I when i go to Exchange System Manager and look at the Queues for my server, I see about 40 SMTP connectors set up for domains that I do not manage or support. All but one have at least one message waiting in the queue. I have frozen them for now, but more will keep getting added and I have know idea how people are able to do it. When I get my daily reports, I have seen that often I get dozens of failed attempts of trying to log into my server via Terminal Services/RDP.
What can I do or or look at to see how my system is compromised and what people are doing or trying to do on my server. What are some other things I can do to improve security on my server and harden it against attacks. Whenever I try to google for tips, I find really in depth instruction that I don't understand or are for more complicated installations. I have done some things in the past to tighten up things and have screwed up my server. So more often then not, i choose to do nothing then risk messing things up.
In what could be a whopping security hole, Nevada has posted the password to the gubernatorial e-mail account on its official state Web site. It appears in a Microsoft Word file giving step-by-step instructions on how aides should send out the governor's weekly e-mail updates, which has, as a second file shows, 13,105 subscribers.
The Outlook username is, by the way, "governor" and the password is "kennyc". We should note at this point that the former Nevada governor, a Republican, is Kenny C. Guinn, which hardly says much about password security.
Thought the group might like this.
So I got an unsolicited e-mail yesterday and it turned out to be a pretty blatant phishing attempt related to...wait for it...PayPal. To make a long story short here, I had some free time on my hands so I began investigating this particular e-mail by looking at the message header as well as the phishing site which was setup to collect people's personal data, etc. After a short while, I was able to determine that both the phishing site as well as the origin of the e-mail were both on the same ISP and from two seperate, but geographically close locations to each other in the Los Angeles county area. I was also able to link this attack to an underground Chinese hacking group who seemed to be located in the same area.
Well at this point, I thought it would be a good idea to start compiling notes and make a report to submit to the LA County Sheriff's Department and depending on the response, the California Department of Justice, the F.B.I., the Secret Service or the Department of Homeland Security. And then of course some of the local news papers and news stations in LA and even the national news. I realize that one phishing attack isn't such a big deal, but with the amount of evidence I had compiled and the ease with which warrants would of been able to be obtained, this would've been a slam dunk and could potentially have led to the arrests of an entire underground hacking group. Also, California specifically has a state law to use when prosecuting cases related to phishing in their "Anti-Phishing Act of 2005."
Yes, I can be pretty optimistic sometimes.
Well this is where things get interesting, and where the purpose for my post here begins. Before I finished compiling all my notes and generating a report, I stopped for the day and decided I would pick up again today. This morning I noticed that I didn't have the link to the actual phishing site itself written down. In the e-mail, the unsub included a link to a page which had been hacked and was redirecting users to the phishing site in LA...I didn't have the URL for that site or the IP, and when I went back to the page which was redirecting, I was greeted with something entirely different.
The redirect page had been replaced with a page letting everyone know that the e-mail they received was not legitimate and was a phishing attempt and included links to a description of what phishing was and an e-mail address for people who wanted to report more instances of phishing, etc. Well this wasn't what I was looking for - I needed the IP address of the original phishing site. So I sent an e-mail to the person who put this new page up asking them if they had the original page which was there with a justification behind why I wanted it.
The response I recieved was from the owner of this anti-phishing site who claims to make it a personal mission of his to thwart phishers. Very admirable, but after a few back-and-forth e-mails with this man I learned a few things and definately questioned his actions. In his response to me he stated that he had replaced the page himself and that he wasn't sure he had the original still, but that he would look. In my second e-mail to him, I asked him as an aside, that if he wasn't able to get in touch with the owner of the site or the ISP (which he claimed would be a waste of time), how he had replaced the phisher's page with his own. His response was that there was an account on that site with a very weak password which he found and was very common, and that if he couldn't take down the phisher's site, changing the redirect page was just as good.
This set some bells and whistles off in my head.
My take on this was that not only what he did was also illegal and unethical - unauthorized access to a web server owned and operated by someone other than himself, but he had also possibly destroyed, and definately corrupted what could have potentially been very crucial evidence to the prosecution of the perpetrators of this phishing attack. The page itself would only have given me the IP of the original phishing site, which most likely has since been taken off-line, however the logs for the redirect web server may have indicated when the server was hacked and who had uploaded the redirect page, and had this IP tracked back to the same ISP in the same geographic location and maybe to one of the members of this group I'm tracking, that would've been the proverbial nail in the coffin.
Well I brought all of this to his attention and basically his response was that he didn't see how a redirect page would've been valuable in the grand scheme of things. Moreover, he wasn't concerned with his act of "ethical hacking" because in his experience, the FBI doesn't respond to electronic crimes where there is no monetary loss greater than $10,000 (which is acurate, but irrelevant). He also said that he saw himself as serving the greater good by preventing any further individuals from becoming a victim to this particular attack. Basically, his justification was vigilanteism.
I recommended to him that in the future he might want to first contact the owner of the site before accessing it (I was able to find both names, 5 phone numbers (both personal and work) and 2 e-mail addresses for the husband/wife team who owned and operated the site with a few brief searches) and before replacing anything, to first make a copy of the original content, including logs in the case that any criminal prosecution would arise. His response to that was that in his experience law enforcement took these kinds of "attacks" not very seriously at all but that he would be more diligent in the future.
And now my 2 comments for the group. First, what's your opinion of what transpired, as it was related? And secondly, and more important, in your ITSEC travels, please, please be aware of issues such as chain-of-custody, evidence contamination and what is legally permissible when it comes to computer crimes and computer forensics!!!
Systems Security Analyst
Debate the Future at the 17th annual Computers Freedom and Privacy
Conference, 1-4 May 2007 at the Hilton Bonaventure Hotel in
Montreal, Quebec. WWW.CFP2007.ORG
( Collapse )
Cisco's DMVPN solution seems to fit what we want, but I'm wondering if anyone else offers a similar solution.
Any & all thoughts are appreciated - thanks!