Dreamhost gets hacked, resets all customers’ passwords, has scale issues

• On January 19th, Dreamhost.com detected unauthorized activity in one of their databases
• It is unclear which databases were compromised, if they were dreamhost databases of customer data, or customer site databases
• Dreamhost uses separate passwords for their main web control panel, and individual user SSH and FTP accounts
• Dreamhost ran in to scale issues, where their centralized web control panel could not handle the volume of users logging in and attempting to change their shell passwords
• The fast forced password reset by DreamHost appears to have promptly ended the malicious activity
• Based on the urgency of the reset, there seem to be indications that DreamHost stores users’ passwords in plain text in one or more databases
• This assertion is further supported by the fact that they print passwords to confirmation screens and in emails
• Dreamhost also reset the passwords for all of their VPS customers

Linux root exploit – when the fix makes it worse

• Linux kernel versions newer than 2.6.39 are susceptible to a root exploit that allowed writing to protected memory
• Prior to version 2.6.39 write access was prevent by an #ifdef, however this was deemed to be to weak, and was replaced by newer code
• The new security code that was to ensure that writes were only possible with the correct permissions, turned out to be inadequate and easily fooled
• Ubuntu has confirmed that an update for 11.10 has been released, users are advised to upgrade
• This issue does not effect Redhat Enterprise Linux 4 or 5, because this change was not backported. A new kernel package for RHEL 6 is now available
• Analysis
• Proof of Concept
• Proof of Concept for Android

Feedback

Q: Tzvi asks how to best Monitor employee Internet usage?

A: There are a number of ways to monitor and restrict Internet access through a connection you control. A common suggestion is the use of a proxy server. The issue with this is that it requires configuration on each client machine and sometimes even each client application. This is a lot of work, and is not 100% successful. However, there is an option know as a ‘transparent proxy’. This is where the router/firewall, or some other machine that all traffic to the internet must pass through analyzes the traffic, and routes connections outbound for port 80 or 443 (HTTP and HTTPS respectively, and optional additional ports) through the proxy server, without any configuration required on the individual clients. Then, you can use the firewall to deny all traffic outbound that is not via the proxy.

This is relatively easy to setup, so much so that as part of the final exam in my Unix Security class, students had 2 hours to setup their machine as follows:

• Configure TCP/IP stack
• Download GPG and Class GPG Key
• Decrypt Exam Instructions
• Install Lynx w/ SSL support
• Install a class self-signed SSL certificate and the root certificate bundle to be trusted
• Install and configure Squid to block facebook with a custom error page
• Configure Lynx to use Squid
• Create a default deny firewall that only allows HTTP via squid and FTP to the class FTP server
• Access the college website and facebook (or rather the custom error page when attempting to access facebook)

While they had a little practice, and didn’t have to configure a transparent proxy, it is still are fairly straight forward procedure.

Instead of rolling your own, you can just drop in pfSense and follow these directions

Q: Brett asks, what do you do after a compromise?

A: The very first thing you do after a compromise, is take a forensic image of the drive. A bit by bit copy, without ever writing or changing the disk in any way. You then pull that disk out and put it away for safe keeping. Do all of your analysis and forensics on copies of that first image (but no not modify it either, you don’t want to have to do another copy from the original). This way as you work on it, and things get modified or trashed, you do not disturb the original copy. You may need the original unmodified copy for legal proceedings, as the evidentiary value is lost if it is modified or tampered with in any way.

So your best bet, is to boot off of a live cd (not just any live cd, many try to be helpful and auto-mount every partition they find, use a forensics live cd that will not take any auction without you requesting it). Then use a tool like dd to image the drive to a file or another drive. You can then work off copies of that. This can also work for damaged disks, using command switches for dd such as conv=noerror,sync . Also using a blocksize of 1mb or so will speed up the process greatly.

You asked about tripwire and the like, the problem with TripWire is that you need to have been running it since before the incident, so it has a fingerprint database of what the files should look like, so it can detect what has changed. If you did not have tripwire setup and running before, while it may be possible to create a fingerprint database from a backup, it is not that useful.
The freebsd-update command includes an ‘IDS’ command, that compares all of the system files against the central fingerprint database used to update the OS, and provides quick and powerful protection against the modification of the system files, but it does not check any files installed my users or packages. The advantage to the freebsd-update IDS over tripwire is that it uses the FreeBSD Security Officers fingerprint database, rather than a locally maintained one that may have been modified as part of the system compromise. In college I wrote a paper on using Bacula as a network IDS, I’ll see if I can find it and post it on my blog at appfail.com.

• Ddrescue – GNU Project – Free Software Foundation (FSF)
• DEFT Linux – Computer Forensics live cd

Q: Jono asks, VirtualBox vs. Bare to the metal VMs?

• Xen, KVM and VirtualBox are not bare metal, they requires a full linux host
• XenServer is similar to VMWare ESXi, in that it is bare metal. It uses a very stripped down version of CentOS and therefore far fewer resources than a full host. However XenServer is a commercial product (though there is a free version)
  +The advantage to XenServer over VMWare ESXi (both are commercial but free), is XenServer is supported by more open source management tools, such as OpenStack

Q:Gene asks, IT Control is out of control, what can we users do?

Q: Crshbndct asks, Remote SSH for Mum

• Managed DNS DynDNS
• Labs & Betas | LogMeIn

Roundup

• The EU Signs Controversial ACTA Treaty
• Why are we not seeing nearly as much protest against ACTA like we did with SOPA/PIPA?
• Thousands march in Poland over Acta internet treaty
• ACTA
• Rogers found to be in violation of Canadian Net Neutrality rules, has until Feb 3rd to correct
• Nokia Subsidizing the Lumia 900 With MSFT Cash?
• reddit: January 2012 – State of the Servers
• Symantec: Anonymous stole source code, users should disable pcAnywhere