John Murphy is a Security Researcher at FlowTraq. His research has included attack graph analysis, system performance baselining, and a game-theoretic analysis of the Conficker worm, and he has extensive experience and multiple publications in the field of network behavior-based insider threat detection. John has a PhD in engineering from Dartmouth College, and engineering degrees from West Virginia University.
The big news this week, of course, was the large-scale attack on Target’s Point-of-Sale (POS) systems that resulted in the loss of up to 40 million credit card records over the holiday shopping season. Investigators are sensibly keeping tight lips about what they’ve learned so far about the specifics of the theft, but there are lessons to be learned here for many organizations.
At heart, this was a data exfiltration issue–toxic data entered into the system was removed without authorization–and will be investigated as such. The POS systems are supposed to be quiet assets: unlike public-facing servers or user desktops, they are supposed to communicate only with a tightly-controlled set of partners under specific conditions. If you filter out the planned communications from such an asset, you should see nothing at all:
If you’ve seen an uptake in UDP traffic, you’re not alone. Google’s QUIC protocol, built on top of UDP, was added into Google Chrome in the last few months. Last week Google went public with details about this newest effort to speed up the web, and people are already talking about it. According to Google, users should see only a faster load time and fewer stalled streams due to lost packets, but folks like us who watch the network should see something different: potentially, the start of a shift in web traffic from TCP to UDP ports 80 and 443. Maybe there will be a decrease in overall bandwidth use, maybe not. Depending on implementation, the multiplexing may result in (more…)
VMWare’s vSphere and related technologies allow users to create a single virtual datacenter spanning multiple ESXi hosts, and provide a convenient user interface for creating and managing those virtual switches, including NetFlow monitoring. vSphere 5.1 exports NetFlow v5; later versions export IPFIX. In order to make use of NetFlow Export on VMWare functionality with an ESXi hypervisor, it is necessary to use the vSphere Web Client, which is distributed with vCenter Server.
Open vSwitch is a popular open source SDN solution that can be run on any Linux-based virtualization platform, and supports a wide variety of systems such as KVM, VirtualBox, ProxMox VE, Xen Cloud Platform, XenServer, and others. Despite the intricacy of these networks, it is very easy to configure NetFlow export from any number of virtual switches.
Those who are monitoring their traffic this week may have noticed a curious increase in traffic to Apple (ASN714; top graph of sessions initiated) and Akamai (various ASNs, bottom graph of bytes transferred). One need not look far to find the culprit:
The FlowTraq team is proud to announce the availability of the Q3/13 release of FlowTraq. This release comes with a lot of new features aimed at improving your ability to secure and manage large networks. (more…)
Opening a FlowTraq Cloud window for the first time can be like walking into a big grocery store when you’re hungry: There’s a lot to see, and you know there’s something good here… but where to start? This post is intended as a springboard to help you find interesting traffic on your network. The workspaces linked here all show your data as a FlowTraq Cloud customer, which means that anything you see, you can immediately act on. It’s easy, it’s fast, and there’s a LOT to see.
Data exfiltrations from major US weapons manufacturers have put Chinese data hacking back in the news again. The debate over the instigators of these major data leaks continues, with some sources pointing fingers at government and others blaming small private groups. These are important distinctions for diplomacy and law enforcement, but at the end of the day, all that matters is that data is being stolen. (more…)
Brute Force Attacks Prey on Common Password Combinations
Brute-force attacks have been in the news again: we’ve seen wide reports of a massive wave of these attacks against sites run using the popular WordPress software. Brute-force attacks on password-protected software are simple but regrettably effective: an attacker gets a list of common usernames and a large set of common passwords, and makes hundreds or thousands of connections to find a pair that works. Once it does, they’ve got access to your system. It’s crude, but it’s effective: nearly one hundred thousand WordPress sites have been compromised and added to a pervasive botnet, and growing. The folks at WordPress have been quick on their feet with a fix, but that doesn’t mean all their customers are, so this may continue for some time. (more…)
Recently hacking attempts have been in the news again, this time accusations that a Chinese military unit, Unit 61398 in Shanghai, has been responsible for a large number of spear phishing and other attacks. These attacks appear to be focused on getting Windows users to run disguised EXE files, which in turn exfiltrate data. Their first-line emails are well-written and targeted, and make use of subtle tricks like naming a file “
filename.pdf .exe” so that the filename is truncated at the .pdf. There are a number of interesting articles on the subject, as well as Mandiant’s excellent analysis “APT1: Exposing One of China’s Cyber Espionage Units“