The Mystery of Duqu: Part Six (The Command and Control servers)

Posted on November 30, 2011 by mea

The Mystery of Duqu: Part Six (The Command and Control servers) – Securelist.

For our particular server, several spikes immediately raise suspicions: 15 February and 19 July, when new versions of OpenSSH were installed; 20 October, when the server cleanup took place. Additionally, we found spikes on 10 February and 3 April, when certain events took place. We were able to identify “dovecot” crashes on these dates, although we can’t be sure they were caused by the attackers (“dovecot” remote exploit?) or simply instabilities.

Of course, for server ‘A’, three big questions remain:

How did the attackers get access to this computer in the first place?

What exactly was its purpose and how was it (ab-)used?

Why did the attackers replace the stock OpenSSH 4.3 with version 5.8?

Interesting read. Apparently there might have been a zero day exploit in openssh.

From: http://en.wikipedia.org/wiki/Duqu

Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS)^[1] of the Budapest University of Technology and Economics in Hungary, which discovered the threat, analyzed the malware and wrote a 60-page report^[2], naming the threat Duqu.^[3] Duqu got its name from the prefix “~DQ” it gives to the names of files it creates.

Here‘s an interesting comment on slashdot.

by Em Adespoton (792954) writes: Alter Relationship <slashdotonly.1.adespoton@spamgourmet.com> on Wednesday November 30, @11:40AM (#38216224) Homepage Journal

The only things you should need open to the internet are SSH (“the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially”) and/or IPSec/L2TP. Anything else should redirect to a DMZ that does NOT route to the same subnet as SSH/IPSec/L2TP. The DMZ should not have port access to the regular network (everything should be pushed). The firewall should be set to not allow active connections out from the DMZ to anywhere, and any activity should not just be logged, but flagged and sent to the administrator. All devices in the DMZ should log to a remote (to them) syslog that is polled from outside the DMZ.

There… that’s the ideal world. In reality, this doesn’t account for people who don’t have that much hardware/expertise with VMs, for people who don’t keep up with their patches, for those who want to do an end-run around this policy to set up torrents, etc. directly from their working computer, etc.

It also doesn’t help that most gateway routers these days have some full-fledged OS inside and as a result often have exploits that can be leveraged directly against them due to inappropriate default configurations.

Groupon Was “The Single Worst Decision I Have Ever Made As A Business Owner”

Posted on November 30, 2011 by mea

The sales process seemed like buying a car. Initially, the rep asked for 100% of the revenue. He eventually “settled” for 50% “Understanding that your business is newer, I decided to split the revenue with you,” he wrote. At one point, Jessie was told that she could only ever run one Groupon over the life of the business.

via Groupon Was “The Single Worst Decision I Have Ever Made As A Business Owner” | TechCrunch.

The Biggest Red Flag In The Groupon IPO Isn’t The Sea Of Red Ink

Posted on November 30, 2011 by mea

We assume that the preferred stockholders here are Groupon’s founders; usually it’s venture capital investors who have “preferred stock”, but we’ve never heard of a respectable VC asking for dividends of a money-losing startup.

via The Biggest Red Flag In The Groupon IPO Isn’t The Sea Of Red Ink – Business Insider.

Published on June 2, 2011.

Why Hypercard Had to Die

Posted on November 30, 2011 by mea

The reason for this is that HyperCard is an echo of a different world. One where the distinction between the “use” and “programming” of a computer has been weakened and awaits near-total erasure. A world where the personal computer is a mind-amplifier, and not merely an expensive video telephone. A world in which Apple’s walled garden aesthetic has no place.

What you may not know is that Steve Jobs killed far greater things than HyperCard. He was almost certainly behind the death of SK8. And the Lisp Machine version of the Newton. And we may never learn what else. And Mr. Jobs had a perfectly logical reason to prune the Apple tree thus. He returned the company to its original vision: the personal computer as a consumer appliance, a black box enforcing a very traditional relationship between the vendor and the purchaser.

via Loper OS » Why Hypercard Had to Die.

HyperCard

Posted on November 30, 2011 by mea

HyperCard is an application program created by Bill Atkinson for Apple Computer, Inc. that was among the first successful hypermedia systems before the World Wide Web. It combines database capabilities with a graphical, flexible, user-modifiable interface.[1] HyperCard also features HyperTalk, written by Dan Winkler, a programming language for manipulating data and the user interface. Some HyperCard users employed it as a programming system for Rapid Application Development of applications and databases.

HyperCard was originally released in 1987 for $49.95, and was included with all new Macs sold at the time.[2] It was withdrawn from sale in March 2004, although by then it had not been updated for many years.

via HyperCard – Wikipedia, the free encyclopedia.

New Study Reinforces Case for DC Power Savings

Posted on November 30, 2011 by mea

But advocates of DC power continue to make the case for direct current distribution in data centers. The recent Data Center Efficiency Summit featured a case study showing gains over AC systems, and discussion of whether global efforts to establish a standard for 380 volt systems might build momentum for DC power.

via New Study Reinforces Case for DC Power Savings » Data Center Knowledge.

Linux Firewalls Using iptables

Posted on November 29, 2011 by mea

Quick HOWTO : Ch14 : Linux Firewalls Using iptables – Linux Home Networking.

This site was also linked here last May but is so useful I needed to bring it to the top again. Here’s a pertinent figure that describes the iptables process that I seem to need to reference all the time when editing the iptables config file.

KVM (Kernel-mode Virtual Machine)

Posted on November 29, 2011 by mea

KVM (Kernel-mode Virtual Machine).

Kernel-mode Virtual Machines (http://kvm.qumranet.com/) is a virtualization platform that leverages the virtualization capabilities available with current microprocessors from both Intel™ and AMD™. For an overview of KVM, please see my 2008 Linuxfest Northwest presentation.

Setting Up Squid In Gateway As A Transparent Proxy

Posted on November 29, 2011 by mea

Setting Up Squid In Gateway As A Transparent Proxy – Welcome to SourceLINUX Wiki...

Good howto for setting up squid. This link was also posted last May.

Terahertz wireless chip brings 30Gbps networks, subcutaneous scanning

Posted on November 28, 2011 by mea

Rohm, a Japanese semiconductor company, has created a silicon chip and antenna that’s currently capable of transmitting 1.5Gbps, with the potential to scale up to 30Gbps in the future. By comparison, the fastest 802.11 (WiFi) transmission speeds max out at around 150Mbps, and the incoming WiGig standard peaks at 7Gbps.

via Terahertz wireless chip brings 30Gbps networks, subcutaneous scanning | ExtremeTech.

Bucktown Bell

Cut to the chase.

The Mystery of Duqu: Part Six (The Command and Control servers)

Groupon Was “The Single Worst Decision I Have Ever Made As A Business Owner”

The Biggest Red Flag In The Groupon IPO Isn’t The Sea Of Red Ink

Why Hypercard Had to Die

HyperCard

New Study Reinforces Case for DC Power Savings

Linux Firewalls Using iptables

KVM (Kernel-mode Virtual Machine)

Setting Up Squid In Gateway As A Transparent Proxy

Terahertz wireless chip brings 30Gbps networks, subcutaneous scanning