In the process of extending my pastemon tool, I’ve a quick poll for you. At the moment, I’m monitoring pastebin.com (and soon another one) but what are your favorite paste sites? Please take a few seconds to answer the questions:
Poll: What Are Your Favorite Paste Sites?
The value of HTTP 404 Errors
The HTTP protocol has a list of response status codes to help communication between the server and the browser. Everytime a server responds to a browser request, a status code is sent. The most common ones are: “200” which means “Everything is ok, here is some food!” and “404” which means “Not found“. The second error may be caused by the client (example: an error in the URL typed in the browser) or by the developer/administrator who forgot to copy files or also made typo errors in his code. That’s why the amount of 404 errors is directly related to the type of environment. During development and test phases, it’s common to have more errors. On the other side, in a production environment, the amount of 404 errors should be limited and the main source of errors will be the client/browser.
Sometimes, “404” errors are considered useless by webmasters and are simply ignored in their reports. After all, their goal is to know how many visitors browsed to their websites. From a security perspective, those errors could be very helpful to detect unusual traffic targeting a web sites.
I analyzed one year of my blog logs (yes, I’ve a long retention policy!). Some facts to start:
- Total hits: 9.534.062
- 404 errors: 343.606 (3.6%)
As you can see on the graph below, the 404 error code comes in the fifth position after the classic 200 and 3xx codes.
(Click to enlarge)
As I’m trying to keep the blog clean, this huge amount of “not found” errors looked strange to me. I decided to generate more statistics. What can we deduct? For a while, the big winner is the TimThumb vulnerability discovered in Augustus 2011. The exploit was released the 3rd of Augustus and the first attempt hit me on the 4th! Still today, I received plenty of probes (see this month):
(Click to enlarge)
The TimThumb scans are coming from three main sources as see on the Google map below (the live map is available here).
(Click to enlarge)
Another trend this month: more and more .rar archive files are tested. Especially this month. Why? I’ve absolutely no idea! If you have ideas, feel free to post your comments!
(Click to enlarge)
The top-10 of requested .rar files is:
- /mirserver.rar
- /web.rar
- /www.rar
- /mirserver1.rar
- /wwwroot.rar
- /youxi.rar
- /mh.rar
- /manhua.rar
- /mirserver2.rar
- /mirserver3.rar
Some of them look like performed by scanners which are looking for websites backups. But I did not see the same amount of requests for .tar.gz or .zip files! (Except for “www.zip“) I also saw request for files based on numbers: 5555.rar, 8888.rar, 444.rar, etc. Based on Google, those file are massively infected with malwares but why look for them on my server?
Finally, scanners are looking for .asp (Microsoft .Net) pages. Especially for the last two months:
(Click to enlarge)
The top-10 of requested .asp pages is:
- /save.asp
- /plug/save.asp
- /gmsave.asp
- /diy.asp
- /shell.asp
- /dama.asp
- /upfile_flash.asp
- /FCKeditor/editor/filemanager/connectors/asp/connector.asp
- /xiaoma.asp
- /up_BookPicPro.asp
And what about common tools or web interfaces? The top-10 is:
- /setup.php
- /scripts/setup.php
- /admin
- /login.php
- /phpmyadmin/
- /myadmin/
- /mysql/
- /db/
- /administrator/
- /db/
As you can see, there is plenty of useful information in your Apache (or any other webserver) log files! Keep an eye on your 404 errors to discover new trends! A temporary peak of 404 errors could mean that your server is under an attack…
Demystify the URL Shorteners
URL shortener on-line services are very helpful. You probably already use them every day. With mobile Internet and micro-blogging services like Twitter , it’s much more convenient to use short URLs.
But the downside is, once again, the bad guys who quickly understood the opportunity of new type of attacks. It’s so easy to hide a suspicious URL behind a shortened one. Who can tell the difference between “bit.ly/abcdef” and “bit.ly/uvwxyz” ? People suffering from “clickmania” are the first victims!
That’s why it is recommended to adopt a safe behavior and to not open a shortened URL if you’re not 100% sure that the hidden address is safe. And who can claim to be sure? Some applications propose a quite good support of those services. They automatically decode and show you the original site. A good example is the Twitter client, Tweetdeck:
Click to enlarge
There are also plug-ins for different browser which decode shortened URLs on the fly:
- Long URL Please for Firefox
- View Thru for Chrome
But, some services offer a very nice feature which does not require any extra piece of code. Examples? If you would like to visit a short URL coming from bit.ly, add a “+” sign at the end of the URL and you will be redirected to the corresponding statistic page showing you the real URL and the number of hits. Same feature for is.gd but this time, add a “-” sign. I suppose that other shortener services support the same feature.
Finally, some sites are fully dedicated to URL decoding, like prevurl.com. It decodes URL and displays a thumbnail of the original website. Use it by adding your URL as argument: http://prevurl.com/?url=http://is.gd/w or by filling the form.
Don’t forget, “+” is your best friend on bit.ly! 
QOTD: “HTTP Became the New TCP”
I heard the following quote today in a online video about a commercial product and I found it so true: “HTTP became the new TCP!”
TCP, or “Transmission Control Protocol“, runs at the transport layer (4th) of the OSI model. HTTP runs on an upper one, the application layer. Historically, HTTP was used to access web servers. The ten-years-old first websites delivered exclusively static content. The next generation delivered dynamic content (often based on data coming from SQL databases).
For a few years now, the “web 2.0″ still increased interactivity between the visitors and websites. Content is not only generated by the servers but users are able to generate some data and “push” them online. Interactivity is the key word. And today, HTTP is more and more used as a “tunnel” to encapsulate a lot of data or other protocols. That’s why security policies have to keep an eye on the famous port “80″.
If you simply drop all HTTP traffic (TCP/80) at your firewall level, your users will be in trouble. As a first step, do not let HTTP traffic pass directly to the Internet but use a proxy to set up basic filtering rules. A good example is Skype which will try to use the port 80 to access the Internet (but not over HTTP). Unfortunately, not all proxies are able to perform deep inspection at the application layer. You want good examples of HTTP diversion?
- Gmail is a very common webmail interface. But how to prevent a user to send critical files attached to e-mails? (risks of data loss)
- http-tunnel let you create some kind of VPN thru HTTP.
- gbridge is an extension of Google Talk which allows you to chat, transfer files or take control of a remote computer “à la VNC”.
Don’t conclude too quickly that only “bad guys” will try to use HTTP in the wrong way. Even well-know commercial products implement the same kind of feature: Outlook can configured to perform RPC over HTTP.
Today, the traffic passing over HTTP must be inspected to prevent all kind of unwanted applications which can affect your security!
Information about Microsoft Projects Leaked
What a coincidence! Yesterday I posted an article about protecting your brand in the web 2.0 jungle and today a nice story was reported on Slashdot. A very nice example of bad communication on the web 2.0.
Robert Morgan, a Microsoft Research employee, wrote on his LinkedIn profile: “Working in high-security department for research and development involving strategic planning for medium and long-term projects. Research & Development projects including 128-bit architecture compatibility with the Windows 8 kernel and Windows 9 project plan. Forming relationships with major partners: Intel, AMD, HP and IBM.”
Oh oh! Microsoft’s plans are to make Windows 8 a 128-bit operating system. Robert’s account has been quickly removed.
Protect your Brand in the Web 2.0 Jungle
(Source: geekandpoke.typepad.com/)
This afternoon I followed a webcast about the protection of your brand in the web 2.0 jungle. A fact is that the reputation of a brand built during years can be destroyed in only a few minutes! Think about that!
Just to remind you, the “web 2.0″ is the huge amount of last generation websites which allow interaction with the visitors. Users are now able to publish their own content online in a few clicks (Like the article you’re reading now). A specific type of applications is the social network sites. Major players are Facebook, LinkedIn, Youtube or Twitter.
For a long time now, a lot of employers already use social networks for personal purposes. If they surf from the corporate network, the risk to see information about the company published is very high. They can disclose, event without explicit, interesting information about internal application or processes (Example on Facebook: “John is pissed off by xxx, this firewall is a real bullshit!“). Those data can be easily found by performing some social engineering and can be very useful for bad guys.
But today, organizations are also active on social networks for business purposes (for more collaboration between employees, for brand awareness and marketing actions or to increase productivity). A survey showed that 86% of ICT managers feel a pressure to allow access to web 2.0 apps. But in the same time, 91% of firms do not have any idea of the threats against online applications. In the past, the social networking sites were simply banned by firewalls or proxies.
Never trust your users. That’s why a “social media policy” must be defined and endorsed by the top-management. Lof of policy examples are available on socialmediagovernance.com. Why do you need such policy?
- First, if you don’t tell what to expect, expect it wrong!
- Your brand can be compromized and used against you.
- The content is highly dynamic and will be quickly indexed and reused in “clouds”. Impossible to control.
- They are risk of data leak
- Malicious code appeared in online applications and they are now a vector of infection.
Keep “control” of your brand and avoid cyber- squatting. Today, not only domain names are targets but keep an eye on URLs like “twitter.com/yourbrand” or “facebook.com/yourbrand“. It’s easy for an employee to register the company name on a social network and to communicate on it. This can be disastrous! In this case, we speak about “qualitative risks”, it’s not possible to estimate a profit loss ($) if this happens but the impact on your brand can be really important with respect to your customers, partners or shareholders.
Finally don’t forget to track the usage of your brand on the Internet. Google Alerts is a nice tool for this purpose. It will notify you when defined keywords are detected on web pages.
Easy Geolocalization of IP Addresses
If there was only one annoying operation for me, it will be to search contact information about IP addresses!
Often, network administrators and security guys have to found out to who is assigned a given IP address (example: when analysis logs or doing forensics searches). Useful information linked to IP addresses are contact information (technical, abuse), country and routing information (autonomous systems).
The whole IPv4 addresses space (2^32 addresses) is split in blocks and almost all of them are assigned by an organization called IANA (Internet Assigned Numbers Authority). This address space is divided in blocks of /8 (255^3 addresses) and assigned. But IANA cannot handle all the requests for IP addresses. That’s why there is some kind of a delegation system. The Internet is divided into several geographical zones where a “sub” authority, called “Regional Internet Registry“, handles local requests and follows the good usage of its own assigned IP blocks. Finally, each ISP redistributes its assigned addresses by splitting the blocks into smaller pieces (using bigger subnet masks). Finally, we have this kind of chain of delegation:
IANA -> Regional Internet Registry -> Internet Providers -> Customers
Source: http://www.iana.org/numbers/
An Internet Service Provider located in Belgium will ask to its local IANA representative for IP addresses. For Belgium, it’s the RIPE (“Réseaux IP Européens“). Once IP addresses have been assigned to this ISP, all relevant information are stored in a “whois” database and the ISP can start to distribute them to its customers. Its responsibility will be to add customers information into the same whois database. Such database is used to store information about IP addresses, domain names or autonomous systems. To query a whoid DB, you need a client which is called… “whois” on UNIX (clients are available for all operating systems). To query a database just search for information. As an example, let’s search for more information about the IP address behing www.twitter.com:
$ host www.twitter.com
www.twitter.com is an alias for twitter.com.
twitter.com has address 168.143.162.116
$ whois -h whois.ripe.net 168.143.162.116
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '168.0.0.0 - 168.255.255.255'
inetnum: 168.0.0.0 - 168.255.255.255
netname: EU-ZZ-168
descr: Various Registries
country: EU # Country is really world wide
remarks: These addresses were issued by
The IANA before the formation of
Regional Internet Registries.
org: ORG-NCC1-RIPE
admin-c: iana1-RIPE
tech-c: iana1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
source: RIPE # Filtered
organisation: ORG-NCC1-RIPE
org-name: RIPE NCC
org-type: RIR
address: RIPE Network Coordination Centre
address: P.O. Box 10096
address: 1001 EB Amsterdam
address: The Netherlands
phone: +31 20 535 4444
fax-no: +31 20 535 4445
e-mail: hostmaster@ripe.net
admin-c: CREW-RIPE
tech-c: CREW-RIPE
mnt-ref: RIPE-NCC-RIS-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered
In the example above, we sent a whois query to whois.ripe.net and the database reported that the object has been assigned by IANA. No more information is provided. Now, you know why searching for IP addresses is so boring! Often, you don’t know which whois database to query to get the relevant information! Worst, the IANA whois database only contains domain names for which IANA is authoritative! Except for some well known blocks directly related to your business, you can’t remember for all of them which whois server to use. Let’s try another DB: whois.arin.net. Bingo! It found something:
$ whois -h whois.arin.net 168.143.162.116 OrgName: NTT America, Inc. OrgID: NTTAM-1 Address: 8005 South Chester Street Address: Suite 200 City: Centennial StateProv: CO PostalCode: 80112 Country: US <Remaining stuff deleted>
If you’re not lucky, you can now imagine the nightware to find out the right whois server! You’ll have to perform two or three queries before a successful search.
Recently, I found a nice website developed by a German company and called utrace. It allows you to enter a domain name, a host name or an IP address and will search the right whois database for you. It will also show you the IP address location on a Google map:
Click to enlarge
Once located on the map, the IP address can be re-used to perform a query against the right whois server and extra information will be displayed. As an extra, a small widget is available for your web pages as well as a PHP API. A very useful online tool! (I’m sure that other services like this one exists, feel free to share)
Facebook Cybersquatting Soon?
Will Facebook once again make a buzz?
Saturday, June 13th starting at 06:01am, Facebook users will be able to choose a username to customize their profile URL. Something like http://www.facebook.com/username/. After DNS cybersquatting, will we see a new effect of Facebook cybersquatting?
Click to enlarge
There is already a FAQ available about this new feature and Facebook also put a form online to help trademarks owners to reserve their usernames. But what about trademarks not reserved? They announce the possibility to start a procedure to recover the squatted username but how much time will it take? What will be their helpdesk load increase? I’m curious!
Follow Several Security Threat Levels via Twitter
Twitter, the micro blogging platform, attracts a larger audience days after days. According to recent studies, lot of accounts stay un-updated for long periods of time.
On the other side, there are more and more huge communities of active users who tweet on specific topics: The IT security is represented by a lot of security professional already writing on Twitter!
For most users, Twitter primary usage stays notifying your “followers” that you’re blocked in traffic jams, you will be late to join your weekly meeting or your dog escaped last night (like all major social networking sites)! But Twitter can also be used to automatically spread useful information grabbed on the Internet like … security threat levels!
Some companies, active in IT security market, offer services of “security level” awareness based on an index like the well known DEFCON level used by the US Armed Forces. Indexes may vary depending on malicious activities detected by their honeypots network, on new viruses or malwares spreading in the wild.
It’s also possible to follow several threat levels on Twitter via the account “ThreatLevel“. Every time a security level is in- or decreased , a Tweet is generated (updated hourly).
The following threat levels are monitored (this can be an non-exhaustive list):
- Symantec ThreatCon
- McAfee Global Threat Condition
- Trend Micro Threat Level
- ISS AlertCon
- SANS ISC Internet Threat Level
- DHS National Threat Advisory
No need to visit several websites or follow RSS feeds, just follow @ThreatLevel.
Virtual Banking, Real Risks?
Announced on BBC News, Mindark, the developers of Entropia, get their license to perform on-line banking! Entropia is an online game defined as “The first virtual universe with a real cash economy”.
The Swedish Financial Supervisory Authority accepted and issued a license to Mindark. It allows players to convert their PEDs (“Project Entropia Dollars“) into real money. The Mindark business models relies on micro-payments done by players to buy goods in the game. The license will allow them to offer virtual bank services with facilities like a real one (transfer money, pay goods, convert to real money, …)
Even if they clearly said that regulators will get oversight of financial transactions carried out in the game world (and track malicious activities), they are chances that they will quickly become the target of new attacks! Today, bad guys operate where are potential gains!
Source: Online game gets banking licence.
