Mick checked his own website and blog and realized with a sinking feeling that they had already been attacked and compromised. Instead of his own content, there was a huge banner on the site reading ‘Carbon is Poison’ – apparently a reference to the dangers of climate change. He checked a few other common sites, and more than half of them showed the same message. In particular, U.S. government sites seemed to be uniformly down. His heart raced as he realized this attack was a big one. Despite the situation, he smiled to himself, realizing what a perfect place he was in – surrounded by his colleagues. He just needed to make sure of one thing.
He sprinted to the Network Operations Center or NOC for the conference servers and wireless network. On the way, he checked the conference website and saw to his relief that it was still functioning and did not appear to be compromised. He burst through the door and saw the startled looks on the NOC help desk volunteers as he went straight for the on-site router. He spotted the cables that connected it to the Internet, grabbed them and, in one motion, ripped them out of the servers.
“WTF, man! That was our Internet!” one of them shouted at him as Mick turned and put up his hands reassuringly, hoping there wasn't a security guard just around the corner.
“I know. Sorry about that, guys, but have you heard about the web server zero day?” All but one shook their heads. He explained the situation quickly as they each looked up their favorite sites and confirmed it to themselves. “Your servers haven't been hit, yet. I needed to isolate them immediately from the Internet so we can set up a surveillance perimeter and observe the attack as it happens. I'm Mick O'Malley, by the way. Will you help?” he ended, catching his breath.
“Sure let’s do it – I just need to let my supervisor know. I'll post an outage page and open a ticket to let everyone know what is going on with the network... there's going to be some pissed off people out there...” one of them replied.
“Is there some space around here somewhere where we can work?” he asked and looked at a small room to the side of the NOC.
“Go ahead.”
“I'll need all the computers you have set up in there, each on a different part of the network. We need to bait the trap so we can catch this sucker as it comes in!” he ordered and the NOC personnel began to rearrange things.
Mick sent messages to his friends explaining what he had in mind, asking them to meet him in the room in ten minutes. At times like this he appreciated his peer-to-peer messaging application, a personal open source project that he had written for his friends and family that could run even without a working connection to Internet servers.
Using his mobile, he tried to remotely log into his web server, and failed. He was able to log into another server where he stored his web server logs, the files recording the activity and moment-by-moment operations of a computer – a trail of digital breadcrumbs. He did this as a failsafe to cover situations just like this. He was relieved that he could at least access those logs – they weren’t erased by the attack – although they didn't have quite as much detail as he needed. He didn't look up until about a half dozen of his closest friends and colleagues were standing in front of him looking over his shoulder. He blinked up at them, then his mind focused on the task at hand. He gave everyone directions.
“Lars, install a low layer trap in the server; do a full dump to an offline drive. Liz, configure the router to send all incoming traffic through this subnet. Someone else get into the firewall and set up the logging and intrusion analysis. We will only get one chance at this, so we need to get it right. Let’s set this trap!” The group dispersed and set to work.
Lars Elvström was a friend of the creator of a popular open source computer operating system, and an expert in kernel security among other things – the kernel being the core or central part of the operating system in a computer. He hailed from Helsinki, Finland and traveled almost as much as Mick.
In the following minutes, there was very little discussion but lots of typing and occasional swearing. The local techs gave everyone the passwords they needed to work on the computers and servers and answered any questions about the network. Mick had already familiarized himself with the layout of the network and knew exactly where he wanted to spring the trap.
“What the hell is going on here?” The question came from a short man who walked into the room. A tech jumped up and looked over to Mick. Mick looked to Liz who sighed and went over to the man. Liz sometimes helped them out of awkward social situations such as this.
“Hi there! I'm Liz Clayton. And you are?” she began, smiling at him as she brushed a lock of blonde hair out of her face.
“Ned Iverson, I'm in charge of this network, or at least I was...”
“Right, Ned,” Liz began, hoping to diffuse the situation quickly while Mick continued working. “Let me explain what we're doing. Your web servers haven’t been compromised yet in this zero day, so we are setting up monitors and message loggers so we can try to see the attack as it happens. With the help of your techs, we are reconfiguring your routers and firewalls so we can learn how the attack works and how to protect against it.”
“Why can't you just look at the logs of the compromised servers?” he asked.
“We've already tried – the attack wipes the logs, very thoroughly, hiding its tracks. No one has a dataset on this attack yet to analyze it,” Liz explained. She could see him starting to relax, and knew the situation was diffusing.
“OK, but does my server have to be compromised? I'd just as soon avoid that.”
“Hmm… we could replace your web server with a dummy one. That way, your real site will be safe. We'll just need to set it up quickly – everything else will be ready to go in a few minutes.”
“And will you put everything back together again when we're done?” he continued.
“Of course we will,” Liz replied, realizing she was going to be there most of the night.
“You owe me,” she growled at Mick as she walked back a moment later. The only sign that Mick heard her was a slight curl in the corner of his mouth.
Less than fifteen minutes later, most people in the room were looking around and feeling pleased with themselves. Mick saw the supervisor give him a nod. Only two people were still working furiously. Gunter was typing at light speed while a dark haired woman he hadn't noticed before stood over him giving him directions in an animated way. From the look of the code scrolling across the screen, this was some complex configuration setting on the firewall. Gunter gave him the thumbs up a moment later, and the woman sat down and smiled at Mick, making him nearly lose his train of thought.
Who is that?
Mick spoke with each of the groups and confirmed their settings and configurations. They were finally ready.
“OK, let’s connect back up to the Internet,” Mick said, getting excited.
“Um, I can only get one link up as the other connector got busted,” one tech replied. Mick would feel bad about it later, but now, he was still in fight-or-flight mode. “We’re live!” the tech reported after plugging the Ethernet cable back in.
Everyone sat quietly waiting, watching the screens. It only took a minute.
“I think we've got it!” shouted Gunter as he watched information scroll on his screen. Everyone else looked to his or her screen – some showed activity, some didn't. Mick refreshed his browser which was pointed at the conference web server; he was rewarded with the ‘Carbon is Poison’ page. It amazed him how fast it happened.
Everyone was suddenly calling out pieces of information about what their logs showed. Mick listened to all of it, sometimes asking for a repetition. The answer started to become clear in his mind. One fact would confirm it.
“Lars, did you see any activity on port 443?” he asked, leaning toward Lars.
“Yep, an HTTPS connection came in on port 443 which coincided with the attack,” he replied. Mick slapped him on the back.
Gotcha!
Looking around at his ‘team’, Mick grinned an
d said “Thank you everyone – I'll need all these logs archived on the main directory for confirmation, but I think we have found the nature of the attack. Thanks again for all your help...” he said, already starting to ignore them.
“What's next Mick?” Liz asked.
“Time to write a patch!” Mick replied, sitting down and pulling up the web server source code. He began work on writing or ‘coding’ the change to the program to close the vulnerability, preventing the attack from succeeding.
The others drifted off or started looking at their mobiles, as the network was back up again. Everyone was buzzing about the attack and who was hit and who wasn't.
A few hours later, Mick had the patch written. He checked it in – uploaded it to the server where people download the software – ready for approval, release, and installation across the Internet. The zero day was almost over.
“Wait a minute, you just did an anonymous check-in of that code!” someone shouted behind him. He turned and saw the woman who was working with Gunter earlier. She looked distinctively out of place among the fashion-challenged geeks around her, wearing a knit shirt, dark pencil skirt, and boots.
“That's right,” he replied evenly.
“But how will you get credit for writing the patch?” she asked. Mick shrugged.
“I won't, but that's OK. Checking it in anonymously will avoid bruising anyone’s ego or otherwise distracting them from stopping the spread of this thing. We just need to get this patch released so we can end this zero day.”
“You don’t care that no one will know that you stopped the exploit? You are crazy!” she responded, shaking her head.
“Thanks. And you are...” he asked, enjoying her accent. It was definitely Eastern European, maybe Serbian, but her English was excellent.
“I'm Kateryna Petrescu, with F.T.L. in San Francisco,” she replied, mentioning a well-known manufacturer of firewalls. He made a mental note to not badmouth these overused security devices in front of her.
“Mick O'Malley – thanks for your help, by the way. Nice work on the firewall,” he said, extending his hand.
“You are welcome,” she replied, shaking it.
A few stayed behind with Mick and Liz to help put the NOC back together. When they were done, Mick spotted Kateryna across the room; she noticed him and approached.
“OK, so tell me how you did it,” she began.
“You mean uncover the attack?” he asked, and when she nodded, he continued. “Well, I've seen quite a few attacks over the years, but this one was unusual. Usually these days, it is the browser that gets infected, but in this case, it was the web server that provides the web pages. The Wireshark trace we did confirmed it – it was a web browsing request from a site that had already been infected.”
“And port 443?”
“Again, the speed suggested the worm was using a common, unblocked transport. Port 443 is commonly kept open for encrypted web traffic. I was happy we didn't have to wait long.”
“That patch was a nice piece of code, by the way. You must have worked as a software developer at one point in your career?”
“Yes, but it’s been a while," Mick replied. “Anyway, once I knew how the attack worked, it was trivial to follow it through and find the bug. Believe it or not, it was just a type of buffer overflow attack,” he concluded. He changed the subject. “Have you been to Nihon... I mean Japan, before?” A few days ago, Gunter had proposed that in honor of their visit to Japan, they should all exclusively use the word that Japanese use for their country – Nihon. The usage had caught on in their social network, and was already second nature to Mick. It was now an effort for him to say Japan or Japanese.
“Just once – I was in Tokyo and Yokohama a few years back,” she replied.
They discussed his previous four visits and her previous one, and which conferences they regularly attended. Mick learned that Kateryna’s new role at her company meant she would be speaking at many of the same conferences he would be attending.
Liz waved to Mick as she left the room, having restored most of the NOC configurations. Mick waved back and called out “Thank you!” to her back. Kateryna looked over her shoulder at Liz.
“Liz Clayton, right?”
“Yep. We've been friends forever,” Mick replied. He thought he detected a slight reaction in her to his use of the word “friend”.
This could be quite a conference.
Chapter 1.
From the Security and Other Lies Blog:
What is the difference between a virus and a worm? dieraptorzdie
This is a good question, dieraptorzdie. Viruses and worms are different kinds of ‘malware’, short for malicious software. Malware is usually installed on your computer without your knowledge, and might steal information, delete information, make your computer start sending spam emails or do other things you don’t want it to do.
Both a virus and a worm will try to spread to other computers or replicate – the difference is how they do this. If the malware tries to replicate itself by attaching itself to another piece of software or data – the equivalent of a biological host - we then refer to it as a virus. This could be an email message that you open, or a download from a web page you visit.
If the malware is designed to be self-propagating, using the Internet to spread on its own without the help of another application, it is known as a worm. The word refers to the way the malware ‘worms’ its way through a network. When your computer is connected to the Internet, it can receive all kinds of messages from other computers. An attacker can send out a bunch of messages (sometimes this is called ‘port scanning’) to your computer, trying to cause it to unwittingly install malware. This can happen anytime you are connected to the Internet, and you don’t even have to be checking mail or browsing the web for this kind of attack to happen.
Both worms and viruses can spread quickly and do a lot of damage in a short time.
There are a number of things you can do to protect your computer. Virus scanning software you install on your computer can help protect against viruses: it monitors and checks everything that you download or install, and deletes it if it finds a virus. A firewall can be used to protect against some types of worms. A firewall’s purpose in a network is to block unwanted Internet traffic while allowing legitimate traffic. The word ‘firewall’ comes from the construction industry, where it literally is a fire-proof wall between rooms or buildings. If you have a firewall in your network, it can block port scans and only let traffic that you want flow from the Internet to your computer.
But the best defense against both viruses and worms is to ensure that you run a secure operating system and that you keep up to date with patches and patches. You should also be very careful about every piece of software you install or download onto your computer. You should immediately install every software update and patch that becomes available – many of them fix known security flaws. Myself, I only install software that I have compiled myself and examined the source code. At the very least, you need to make sure that you trust whoever wrote the software, and you fully understand what the software does. Otherwise, you might find your computer compromised...
-> Your question not answered this week? Argue for your vote on the Shameless Plugging area of our discussion forum
Chapter 2.
“Thank you everyone for attending this meeting,” the Chairman began. He looked around the room at his team. He had built this company, Cloud 8++, from nothing. The industry had grown up as well, from lone hobbyists, to a cottage industry, to today’s corporations. They had enjoyed a great deal of success and ill-gotten profits over the years, but things were changing. “First, I would like a report on the progress of the new exploit.”
“Everything performed as expected,” was the response from one man. “There was a 100% success rate against targeted web servers.”
“Impressive, but the outage didn’t last very long. You had told us it would take a day or more before the servers cam
e back up again. Did we have enough time to install our software?”
“We did have time to install our software. This particular attack was directed against an open source program that has a large and active community of developers. They mobilized very quickly and had a patch uploaded within four hours of the attack. Web servers began coming up again almost immediately after that. Most servers were patched within twelve hours.”
“Is there anything we can do to prevent this in the future?”
“Our later zero day attacks will be against commercial software, so we won’t need to worry about the open source community. In addition, our consultant has some ideas on how we can fragment and divide the community, slowing their responsiveness in the future.”
“And the silent exploit?” the Chairman asked.
“Also extremely effective, although we do not have exact numbers, yet,” the man hesitated for a moment before continuing. “I did a reverse lookup of the target IP addresses you gave me –”
“You should not have done that!”
“Well, I did. The addresses belong to UBK corporation, the government outsourcing company. As far as I know, they do not represent a primary target for us. Why are we using our silent exploit on them?”
Counting from Zero Page 2