Great article from Krebs on Security

February 7, 2011 Leave a comment

Brian Krebs has a great post on his site about the recent hack of HBGary Federal. There’s a quote from Greg Hoglund that I wanted to call attention to. In describing the hacker’s methodology, Hoglund states: “So it’s a case where the hackers break in on a non-important system…and leveraged lateral movement to get onto systems of interest over time.” The next time you’re told not to worry about a vulnerable system because it is low-impact, has no important data or is otherwise of no interest to an attacker, point them to this article.

Advertisements
Categories: Opinion

Arduino server room monitor

October 1, 2010 7 comments

I just finished building an Arduino-based server room environment monitor using a kit from Sproutboard. It is a pretty nice kit for the cost. The kit plus the Arduino and ethernet shield from Sparkfun comes in at under $250.

For that $250 and a bit of manual labor, I am able to see ambient temperature, humididty, incoming A/C temperature, if the lights are on, if the door is open and whether there is water on the floor, all from a basic webpage. The system itself has a buzzer for an audible alarm if any conditions are outside your specified parameters (positive test for water on floor, ambient temp > 80, etc). I also built a quick script for my Nagios system that pulls data from the web page so I get email/SMS alerts as well.

The code is really easy to work with. If you have ever done any C/C++ work you should feel right at home. I spent some time modifying the code so the system works exactly as I want it to. Can’t do that with many off-the-shelf systems.

I liked the system so much that I bought several more to send out to our remote offices. Some of our remote sites have a “server room” that is little more than a storage closet. It will be nice to have hard numbers on what the temperature is in those rooms.

Looking downt the road a ways, I will probably be adding a single-chip smoke detector, and I might hook up an AC-powered relay plugged into an outlet that isn’t powered by our generator. That will allow me to get alerts when we lose utility power.

You can also adapt this same system to monitor your house, control a greenhouse, etc. The Sproutboard site has lots of ideas. Check it out.

Categories: Tech Tags: , ,

Nagios alerts via SMS with gnokii (tutorial)

September 23, 2010 Leave a comment

Like many IT professionals, I use nagios to monitor many systems and services. Some of these are security related (the SIEM system just registered an incident), while others can span both operational and security disciplines (the web server is down…why is the web server down?).

While all of the geeks I work with are able to get email alerts 24/7 through the magic of smart phones, there were still potential gaps in this method of notification. What if the email server is down? How about if the active sync server, firewall, internet connection, or core switching is down?

Getting alerts via SMS seemed like a great solution to this problem. My initial route to this functionality was using the cell provider’s email-to-SMS gateway. This provided alerts that went out if the mail or active sync servers were down, but didn’t really address a failure at the firewall, internet connection or switching infrastructure.

Some people I bounced ideas off of suggested using a cellular modem (a.k.a. air card). This did seem possible, but getting the system to dial out when needed seemed overly complex. A Verizon MiFi was also suggested. While that lacked the complexity, I was worried that the always-on connection could function as a back-door into the network. What I really wanted was a way to send SMS messages directly via the cell network.

Since I have an android phone with root access, I was hoping to find a way to use Android’s native debugging system (adb) to create a text message using the adb shell and a simple shell script. I failed to find a way to do this. I’d still like to figure out a way to make this happen, so please leave a comment if you have solved this puzzle!

Giving up on the Android route, a little googling led me to gnokii. gnokii is designed to have some pretty wide-ranging functionality, but all I wanted it for was the ability to send an SMS message via an attached cell phone. I went down several blind alleys before I got a working system set up, but I did finally get it running. I happy to say it works exactly as I had hoped. Click here for the full tutorial.

Categories: Tech Tags: , ,

BIND 9.3 and malwaredomains.com

September 2, 2010 2 comments

I have been using a DNS blacklist from http://www.malwaredomains.com with BIND 9.3.x to redirect spyware communication to an internal honeypot machine. I got an alert this morning that the system was no longer responding to DNS requests. When I tried to manually start named, I found that I was getting an error due to an underscore in one of the entries in the blacklist.

Depending on where you get your information, underscores are either completely not-RFC compliant, or a normal and accepted part of DNS. What I didn’t understand was why I wasn’t one of half a million users of malwaredomains.com running into this same situation? If underscores are bad, malwaredomains.com should have gotten quite a few complaints before I jumped in. If underscores are ok, why is my BIND falling over when it finds one?

It turns out that prior to 9.3, even though there is a configuration option to check domain names for validity, BIND either didn’t check the names or checked in a different way that didn’t choke on underscores. Now in version 9.3, the checking has been turned on/expanded and it isn’t very happy when it finds that nasty underscore.

This is too bad, because anyone running a BIND server in an Active Directory environment will tell you that there are some DNS records with underscores in the names that are pretty important to the proper functioning of AD. I have a feeling this will be biting a lot of people migrating from older versions of BIND.

Whether or not underscores are ok, I needed to get my server running again. I got named up temporarily by deleting the offending record, but that wasn’t a permanent solution. One of my scripts would be downloading a new copy of the list at midnight. The record in question was a legitimately bad host that could be successfully resolved by a client, so I decided against modifying my script to parse the blacklist post-download and filter out any records containing an underscore. Instead, I did some research and then added the following two lines to the “options” section of my named.conf:

check-names master ignore;
check-names response ignore;

Restart named and poof! everything’s happy again.

UPDATE (10/01/10): After some correspondence between myself and the maintainer, malwaredomains.com has started adding the “check-names ignore;” on each line of their file that contains an underscore. Sweet!