Sunday, May 21, 2017

Random Internet Connections ~ 5/21/2017

Random Internet Connections ~ 5/21/2017

Uninvited guests randomly scanning my honeypot.

No DNS = IOT device or ??

Count | IP Address | Port | DNS (if available)

APNIC (Asia)

1 1.71.71.8 23
1 103.218.100.242 2323
1 103.219.246.174 23
1 103.29.69.96 554 96.69.29.103.in-addr.arpa. 81788 IN PTR li1542-96.members.linode.com.
1 103.50.4.26 23

1 103.79.143.231 22
1 103.79.143.232 22
[ ^^ Typo or looking for 22 (SSH) ]

1 103.87.48.43 23
1 106.111.110.147 23
1 110.17.165.146 1433
1 110.8.84.206 1433
1 111.40.166.130 22
1 111.51.27.231 23
1 111.9.180.188 1433

1 111.91.144.95 1900
1 111.91.148.45 1900
[ ^^ Looking for 1900 ~ popular in Asia]

1 112.227.103.160 23
1 112.53.235.40 23
1 113.128.64.128 23
1 113.224.152.95 23
1 113.235.19.185 23
1 113.30.60.166 1900
1 114.199.214.140 1900
1 114.219.158.32 23
1 115.72.154.122 23 122.154.72.115.in-addr.arpa. 80342 IN PTR adsl.viettel.vn.
1 116.232.85.239 23
1 116.97.239.78 81
1 117.199.230.116 23
1 117.222.180.30 445
1 117.34.72.18 23
1 118.69.197.149 1433
1 119.57.141.165 23
1 120.142.132.198 1900
1 120.210.134.26 23

1 121.199.4.219 1433
1 121.250.100.7 1433
1 121.254.246.12 1433
[ ^^ Looking for 1433 (SQL Server)]

1 122.114.169.198 1433
1 122.114.169.198 23
1 122.114.182.100 1433
1 122.114.182.230 1433
1 122.114.39.80 23
1 122.114.46.62 1433
1 122.114.49.115 23
[ ^^ Likely a bad network looking to exploit port 23 (telnet) and 1433 (SQL Server)]

1 122.116.159.107 32761 107.159.116.122.in-addr.arpa. 38775 IN PTR 122-116-159-107.HINET-IP.hinet.net.
1 122.128.249.38 1900
1 122.194.229.10 8080
1 123.100.168.114 1900
1 123.133.65.58 993
1 123.207.111.120 23
1 123.207.126.103 23
1 123.207.159.29 1433
1 124.195.171.85 1900
1 125.211.221.233 1433
1 128.114.234.201 3389 201.234.114.128.in-addr.arpa. 24617 IN PTR dhcp-234-201.ucsc.edu.
1 14.118.251.235 23
1 14.210.166.26 23
1 180.106.225.30 22
1 180.112.96.16 23
1 180.114.97.146 23
1 182.100.67.118 22
1 182.130.183.118 23
1 182.69.57.241 23 241.57.69.182.in-addr.arpa. 81981 IN PTR abts-north-dynamic-241.57.69.182.airtelbroadband.in.
1 183.93.223.235 2222
1 202.65.220.205 1433 205.220.65.202.in-addr.arpa. 82060 IN PTR static-ip-205-220-65-202.rev.dyxnet.com.
1 203.189.83.131 23 131.83.189.203.in-addr.arpa. 3600 IN PTR 203-189-83-131.dynamic.acenet.com.au.
1 203.195.147.204 1433
1 203.50.80.157 0 157.80.50.203.in-addr.arpa. 82094 IN PTR gigabitethernet0-1.win17.melbourne.telstra.net.
1 210.48.154.99 52306 99.154.48.210.in-addr.arpa. 3216 IN PTR quid.centralmalaysia.com.
1 210.48.154.99 57845 99.154.48.210.in-addr.arpa. 3211 IN PTR quid.centralmalaysia.com.
1 210.48.154.99 65439 99.154.48.210.in-addr.arpa. 3206 IN PTR quid.centralmalaysia.com.
1 211.143.111.235 23
1 211.159.172.178 23
1 211.176.166.179 1900
1 218.60.136.106 22 106.136.60.218.in-addr.arpa. 139 IN PTR cncln.online.ln.cn.
1 218.62.97.247 23 247.97.62.218.in-addr.arpa. 82769 IN PTR 247.97.62.218.adsl-pool.jlccptt.net.cn.
1 219.153.18.157 22
1 220.85.169.58 23
1 222.186.134.8 808
1 222.186.39.41 2433
1 222.186.39.61 1433
1 222.186.58.161 9200
1 222.186.58.172 1533
1 222.220.92.86 23
1 222.34.18.27 0
1 222.81.144.20 23
1 223.3.39.9 22
1 223.3.39.9 2222
1 23.235.162.41 3389
1 27.153.124.59 23 59.124.153.27.in-addr.arpa. 82294 IN PTR 59.124.153.27.broad.qz.fj.dynamic.163data.com.cn.
1 27.3.89.163 23
1 36.110.169.36 1433
1 39.32.197.63 81
1 42.2.40.118 22 118.40.2.42.in-addr.arpa. 81624 IN PTR 42-2-40-118.static.netvigator.com.
1 42.51.16.5 3306 5.16.51.42.in-addr.arpa. 300 IN PTR htuidc.bgp.ip.
1 43.230.114.115 2433
1 43.240.245.45 23
1 43.240.245.88 23
1 49.81.19.231 0
1 59.110.136.70 3306
[ ^^ Trying to connect to MySQL]

1 59.45.175.192 22
1 60.190.67.253 0
[ ^^ 0 is an invalid port ]

1 60.191.38.77 1962
1 58.143.3.75 3389
3 210.6.141.217 23 217.141.6.210.in-addr.arpa. 80908 IN PTR 210006141217.ctinets.com.

ARIN (North America)

1 107.150.2.67 3306 67.2.150.107.in-addr.arpa. 83460 IN PTR 107.150.2.67.static.quadranet.com.
1 108.176.247.184 445 184.247.176.108.in-addr.arpa. 83551 IN PTR cpe-108-176-247-184.twcny.res.rr.com.
[ ^^ 445 - block it! Or pay the price...]

1 13.58.84.211 8880 211.84.58.13.in-addr.arpa. 300 IN PTR ec2-13-58-84-211.us-east-2.compute.amazonaws.com.
1 141.212.122.17 1900 17.122.212.141.in-addr.arpa. 900 IN PTR researchscan272.eecs.umich.edu.
1 184.0.91.60 0 60.91.0.184.in-addr.arpa. 81985 IN PTR nv-184-0-91-60.dhcp.embarqhsd.net.
1 184.105.139.76 123 76.139.105.184.in-addr.arpa. 86357 IN CNAME 76.64-26.139.105.184.in-addr.arpa. 76.64-26.139.105.184.in-addr.arpa. 86357 IN PTR scan-02b.shadowserver.org.
1 184.105.139.82 69 82.139.105.184.in-addr.arpa. 86400 IN CNAME 82.64-26.139.105.184.in-addr.arpa. 82.64-26.139.105.184.in-addr.arpa. 86400 IN PTR scan-04c.shadowserver.org.
1 184.105.139.85 177 85.139.105.184.in-addr.arpa. 86400 IN CNAME 85.64-26.139.105.184.in-addr.arpa. 85.64-26.139.105.184.in-addr.arpa. 86400 IN PTR scan-03c.shadowserver.org.
1 184.105.247.198 623 198.247.105.184.in-addr.arpa. 85518 IN CNAME 198.192-26.247.105.184.in-addr.arpa. 198.192-26.247.105.184.in-addr.arpa. 85518 IN PTR scan-13a.shadowserver.org.
1 184.105.247.220 53413 220.247.105.184.in-addr.arpa. 86400 IN CNAME 220.192-26.247.105.184.in-addr.arpa. 220.192-26.247.105.184.in-addr.arpa. 86400 IN PTR scan-15f.shadowserver.org.
1 208.84.200.21 445
1 209.126.136.5 23
1 216.218.206.111 137 111.206.218.216.in-addr.arpa. 85980 IN CNAME 111.64-26.206.218.216.in-addr.arpa. 111.64-26.206.218.216.in-addr.arpa. 85980 IN PTR scan-06k.shadowserver.org.
1 216.218.206.94 500 94.206.218.216.in-addr.arpa. 86400 IN CNAME 94.64-26.206.218.216.in-
1 23.254.130.88 1433 88.130.254.23.in-addr.arpa. 10154 IN PTR client-23-254-130-88.hostwindsdns.com.
1 45.32.216.149 445 149.216.32.45.in-addr.arpa. 3600 IN PTR 45.32.216.149.vultr.com.
1 45.55.10.21 110 21.10.55.45.in-addr.arpa. 1800 IN PTR worker-4-27b-8.stretchoid.com.
1 45.58.136.98 80 98.136.58.45.in-addr.arpa. 22432 IN PTR nookrie-yet.ringlooks.net.
1 46.101.118.25 7991 25.118.101.46.in-addr.arpa. 1800 IN PTR min-extra-scan-12-de-do-dev.binaryedge.ninja.
1 64.184.116.177 81 177.116.184.64.in-addr.arpa. 3600 IN PTR ip-64-184-116-177.ligtel.com.
1 67.210.208.133 20366 133.208.210.67.in-addr.arpa. 6729 IN PTR 133.208.210-67.q9.net.
1 67.210.208.133 59108 133.208.210.67.in-addr.arpa. 6724 IN PTR 133.208.210-67.q9.net.
1 71.234.215.22 8080 22.215.234.71.in-addr.arpa. 1975 IN PTR c-71-234-215-22.hsd1.ct.comcast.net.
1 71.6.158.166 3689 166.158.6.71.in-addr.arpa. 37130 IN PTR ninja.census.shodan.io.
1 71.6.158.166 4070 166.158.6.71.in-addr.arpa. 37125 IN PTR ninja.census.shodan.io.
1 71.6.158.166 5985 166.158.6.71.in-addr.arpa. 37120 IN PTR ninja.census.shodan.io.
1 74.123.18.142 49867
1 74.82.47.34 53 34.47.82.74.in-addr.arpa. 86400 IN CNAME 34.0-26.47.82.74.in-addr.arpa. 34.0-26.47.82.74.in-addr.arpa. 86400 IN PTR scan-09h.shadowserver.org.
1 74.82.47.48 523 48.47.82.74.in-addr.arpa. 86400 IN CNAME 48.0-26.47.82.74.in-addr.arpa. 48.0-26.47.82.74.in-addr.arpa. 86400 IN PTR scan-11k.shadowserver.org.

1 75.102.21.12 32175 12.21.102.75.in-addr.arpa. 3600 IN PTR mail.sarangak.com.
[ ^^ Hmm. A mail server...]

1 99.67.126.150 717 150.126.67.99.in-addr.arpa. 1714 IN PTR adsl-99-67-126-150.dsl.covlil.sbcglobal.net.
2 209.49.192.54 3389
2 52.31.147.77 3389 77.147.31.52.in-addr.arpa. 300 IN PTR ec2-52-31-147-77.eu-west-1.compute.amazonaws.com.
[ ^^ Could be typo - someone's EC2 instance IP address changed...or not.]

RIPE (Europe)

1 151.236.52.243 1433 243.52.236.151.in-addr.arpa. 81857 IN PTR vps.tessyacconciature.it.
1 151.250.37.89 23 89.37.250.151.in-addr.arpa. 122 IN PTR host-151-250-37-89.reverse.superonline.net.

1 163.172.167.164 1020 164.167.172.163.in-addr.arpa. 60 IN PTR 164-167-172-163.rev.cloud.scaleway.com.
1 163.172.167.164 1021 164.167.172.163.in-addr.arpa. 55 IN PTR 164-167-172-163.rev.cloud.scaleway.com.
1 163.172.167.164 1022 164.167.172.163.in-addr.arpa. 50 IN PTR 164-167-172-163.rev.cloud.scaleway.com.
[ ^^ Port Scan ]

1 146.0.77.108 49431
1 139.162.120.76 81 76.120.162.139.in-addr.arpa. 82757 IN PTR li1604-76.members.linode.com.
1 169.54.233.124 5060 124.233.54.169.in-addr.arpa. 81594 IN PTR 7c.e9.36a9.ip4.static.sl-reverse.com.
1 169.54.244.89 17185 89.244.54.169.in-addr.arpa. 82750 IN PTR 59.f4.36a9.ip4.static.sl-reverse.com.
1 169.54.244.93 44818 93.244.54.169.in-addr.arpa. 82779 IN PTR 5d.f4.36a9.ip4.static.sl-reverse.com.
1 170.231.114.47 23
1 171.248.157.193 23
1 171.25.193.131 443 131.193.25.171.in-addr.arpa. 82490 IN PTR tor-exit7-readme.dfri.se.
1 172.82.180.58 1900
1 173.215.141.54 445 54.141.215.173.in-addr.arpa. 169766 IN PTR static-173-215-141-54.prtc.net.
1 176.122.251.15 23
1 176.8.128.19 23 19.128.8.176.in-addr.arpa. 82559 IN PTR 176-8-128-19.broadband.kyivstar.net.
1 178.137.212.9 23 9.212.137.178.in-addr.arpa. 82599 IN PTR 178-137-212-9.broadband.kyivstar.net.
1 178.137.51.246 23 246.51.137.178.in-addr.arpa. 82895 IN PTR 178-137-51-246.broadband.kyivstar.net.
1 178.159.36.60 3389
1 178.47.176.130 23
1 185.128.40.110 1900

1 185.35.62.122 1883
1 185.35.62.135 47808
1 185.35.62.194 502
1 185.56.82.54 5901
1 185.56.82.74 3401
[^^Port scan mixing up the IPs?]

1 185.94.111.1 137
1 195.46.112.154 22
1 212.129.1.60 5060 60.1.129.212.in-addr.arpa. 81939 IN PTR 212-129-1-60.rev.poneytelecom.eu.
1 212.83.157.201 5060 201.157.83.212.in-addr.arpa. 82398 IN PTR 212-83-157-201.rev.poneytelecom.eu.
addr.arpa. 94.64-26.206.218.216.in-addr.arpa. 86400 IN PTR scan-05g.shadowserver.org.
1 217.160.0.34 63393 34.0.160.217.in-addr.arpa. 81832 IN PTR 217-160-0-34.elastic-ssl.ui-r.com.
1 217.65.176.70 23
1 31.207.47.86 3389
1 37.55.197.31 717 31.197.55.37.in-addr.arpa. 82306 IN PTR 31-197-55-37.pool.ukrtel.net.

1 37.115.57.53 23 53.57.115.37.in-addr.arpa. 82201 IN PTR 37-115-57-53.broadband.kyivstar.net.
1 37.229.14.140 23 140.14.229.37.in-addr.arpa. 81539 IN PTR 37-229-14-140.broadband.kyivstar.net.
1 46.118.174.39 23 39.174.118.46.in-addr.arpa. 81709 IN PTR 46-118-174-39.broadband.kyivstar.net.
1 46.118.62.107 23 107.62.118.46.in-addr.arpa. 82099 IN PTR 46-118-62-107.broadband.kyivstar.net.
1 46.118.76.7 23 7.76.118.46.in-addr.arpa. 82660 IN PTR 46-118-76-7.broadband.kyivstar.net.
1 46.118.96.191 23 191.96.118.46.in-addr.arpa. 81153 IN PTR 46-118-96-191.broadband.kyivstar.net.
1 46.119.195.200 23 200.195.119.46.in-addr.arpa. 82159 IN PTR 46-119-195-200.broadband.kyivstar.net.
[^^Lots of port 23 from kyivstar.net]

1 46.139.103.246 445 246.103.139.46.in-addr.arpa. 81864 IN PTR 2E8B67F6.catv.pool.telekom.hu.
1 46.249.74.180 2323 180.74.249.46.in-addr.arpa. 17044 IN PTR 46-249-74-180.net1.bg.
1 5.161.20.26 81
1 5.188.11.10 3389
1 5.188.11.10 3390
1 5.237.151.150 81
1 5.8.50.130 3357
1 51.15.142.103 8080 103.142.15.51.in-addr.arpa. 60 IN PTR probe2.sisyphe.io.
1 51.15.67.132 8443 132.67.15.51.in-addr.arpa. 60 IN PTR 132-67-15-51.rev.cloud.scaleway.com.
1 62.138.14.135 5060 135.14.138.62.in-addr.arpa. 82280 IN PTR loft24103.serverprofi24.eu.
1 77.159.71.216 23 216.71.159.77.in-addr.arpa. 38416 IN PTR 216.71.159.77.rev.sfr.net.
1 78.189.28.120 23 120.28.189.78.in-addr.arpa. 37933 IN PTR 78.189.28.120.dynamic.ttnet.com.tr.
1 79.135.228.161 49867 161.228.135.79.in-addr.arpa. 3600 IN PTR 161.228.135.79.in-addr.arpa.
1 79.2.183.59 23 59.183.2.79.in-addr.arpa. 37903 IN PTR host59-183-static.2-79-b.business.telecomitalia.it.
1 80.24.113.183 23 183.113.24.80.in-addr.arpa. 168532 IN PTR 183.red-80-24-113.staticip.rima-tde.net.
1 80.82.70.26 23 26.70.82.80.in-addr.arpa. 3600 IN PTR vicnovo7x026.securolytics.io.

1 80.82.77.139 12345 139.77.82.80.in-addr.arpa. 2052 IN PTR dojo.census.shodan.io.
1 80.82.77.139 5986 139.77.82.80.in-addr.arpa. 2047 IN PTR dojo.census.shodan.io.
1 80.82.77.33 1099 33.77.82.80.in-addr.arpa. 2790 IN PTR sky.census.shodan.io.
1 80.82.77.33 1962 33.77.82.80.in-addr.arpa. 2785 IN PTR sky.census.shodan.io.
1 80.82.77.33 4040 33.77.82.80.in-addr.arpa. 2780 IN PTR sky.census.shodan.io.
[I don't think I like this shodan IOT thing ^^]

1 81.183.253.3 23 3.253.183.81.in-addr.arpa. 80843 IN PTR dsl51B7FD03.fixip.t-online.hu.
1 81.214.70.186 23 186.70.214.81.in-addr.arpa. 38549 IN PTR 81.214.70.186.dynamic.ttnet.com.tr.
1 83.6.205.173 23 173.205.6.83.in-addr.arpa. 82396 IN PTR abbp173.neoplus.adsl.tpnet.pl.
1 84.94.192.94 23 94.192.94.84.in-addr.arpa. 3600 IN PTR 84.94.192.94.cable.012.net.il.
1 85.101.145.154 23 154.145.101.85.in-addr.arpa. 38445 IN PTR 85.101.145.154.dynamic.ttnet.com.tr.
1 85.109.190.94 23 94.190.109.85.in-addr.arpa. 37842 IN PTR 85.109.190.94.dynamic.ttnet.com.tr.
1 87.106.1.241 16868 241.1.106.87.in-addr.arpa. 2533 IN PTR s527594248.mialojamiento.es.
1 87.13.44.37 81 37.44.13.87.in-addr.arpa. 38279 IN PTR host37-44-dynamic.13-87-r.retail.telecomitalia.it.
1 88.228.97.154 23 154.97.228.88.in-addr.arpa. 37977 IN PTR 88.228.97.154.dynamic.ttnet.com.tr.
1 88.235.30.54 23 54.30.235.88.in-addr.arpa. 37841 IN PTR 88.235.30.54.dynamic.ttnet.com.tr.
1 89.163.157.162 0
1 89.163.251.151 5060 151.251.163.89.in-addr.arpa. 81703 IN PTR ve782.venus.fastwebserver.de.
1 89.248.171.2 443 2.171.248.89.in-addr.arpa. 3131 IN PTR 89.248.171.2.static-nl.cryptolayer.com.
1 91.122.40.86 22 86.40.122.91.in-addr.arpa. 3600 IN PTR ppp91-122-40-86.pppoe.avangarddsl.ru.

1 91.211.2.106 338 106.2.211.91.in-addr.arpa. 78740 IN PTR hostby.chnet.se.
1 91.211.2.106 666 106.2.211.91.in-addr.arpa. 78735 IN PTR hostby.chnet.se.
1 91.211.2.108 3390 108.2.211.91.in-addr.arpa. 56583 IN PTR hostby.chnet.se.
1 91.211.2.108 3392 108.2.211.91.in-addr.arpa. 56578 IN PTR hostby.chnet.se.
1 91.211.2.108 3393 108.2.211.91.in-addr.arpa. 56573 IN PTR hostby.chnet.se.
1 91.211.2.108 3394 108.2.211.91.in-addr.arpa. 56568 IN PTR hostby.chnet.se.
1 91.211.2.108 3395 108.2.211.91.in-addr.arpa. 56563 IN PTR hostby.chnet.se.
1 91.211.2.108 3396 108.2.211.91.in-addr.arpa. 56558 IN PTR hostby.chnet.se.
1 91.211.2.108 4444 108.2.211.91.in-addr.arpa. 56553 IN PTR hostby.chnet.se.
1 91.211.2.108 6666 108.2.211.91.in-addr.arpa. 56548 IN PTR hostby.chnet.se.
[Yeah, that's a port scan ^^]

1 91.230.121.168 123
1 91.98.76.50 445 50.76.98.91.in-addr.arpa. 81378 IN PTR 91.98.76.50.pol.ir.

1 93.174.93.136 3128 136.93.174.93.in-addr.arpa. 3228 IN PTR no-reverse-dns-configured.com.
1 93.174.93.136 3333 136.93.174.93.in-addr.arpa. 3223 IN PTR no-reverse-dns-configured.com.
1 93.174.93.136 7777 136.93.174.93.in-addr.arpa. 3218 IN PTR no-reverse-dns-configured.com.
1 93.174.93.136 8000 136.93.174.93.in-addr.arpa. 3213 IN PTR no-reverse-dns-configured.com.
1 93.174.93.136 808 136.93.174.93.in-addr.arpa. 3208 IN PTR no-reverse-dns-configured.com.
1 93.174.93.136 8887 136.93.174.93.in-addr.arpa. 3203 IN PTR no-reverse-dns-configured.com.
[Another port scan ^^]

1 94.23.252.163 19 163.252.23.94.in-addr.arpa. 80761 IN PTR ns380322.ip-94-23-252.eu.
1 94.76.206.197 445 197.206.76.94.in-addr.arpa. 81066 IN PTR www.eventogioco.com.
1 95.102.92.146 23 146.92.102.95.in-addr.arpa. 82154 IN PTR adsl-dyn-146.95-102-92.t-com.sk.
1 95.231.117.83 23 83.117.231.95.in-addr.arpa. 38362 IN PTR host83-117-static.231-95-b.business.telecomitalia.it.
1 95.47.132.36 23
2 46.48.215.149 21
5 195.154.241.198 5060 198.241.154.195.in-addr.arpa. 80630 IN PTR 195-154-241-198.rev.poneytelecom.eu.
5 51.15.8.65 5060 65.8.15.51.in-addr.arpa. 80893 IN PTR 51-15-8-65.rev.poneytelecom.eu.
1 134.249.93.92 23 92.93.249.134.in-addr.arpa. 82753 IN PTR 134-249-93-92.broadband.kyivstar.net.

LACNIC (South America)

1 131.0.251.42 23
1 138.219.192.152 23 152.192.219.138.in-addr.arpa. 3600 IN PTR 138-219-192-152.brasilnett.com.br.
1 177.158.181.22 23 22.181.158.177.in-addr.arpa. 83366 IN PTR 177.158.181.22.dynamic.adsl.gvt.net.br.
1 177.221.104.97 22 97.104.221.177.in-addr.arpa. 80232 IN PTR bilink-97-bgp104.bilink.com.br.
1 177.246.184.146 5358 146.184.246.177.in-addr.arpa. 82679 IN PTR customer-COL-184-146.megared.net.mx.
1 179.183.255.131 23 131.255.183.179.in-addr.arpa. 83230 IN PTR 179.183.255.131.dynamic.adsl.gvt.net.br.
1 179.99.200.173 23 173.200.99.179.in-addr.arpa. 83015 IN PTR 179-99-200-173.dsl.telesp.net.br.
1 181.211.229.103 22 103.229.211.181.in-addr.arpa. 3332 IN PTR 103.229.211.181.static.pichincha.andinanet.net.
1 181.26.172.209 23 209.172.26.181.in-addr.arpa. 81925 IN PTR 181-26-172-209.speedy.com.ar.
1 186.119.100.44 23
1 186.178.182.170 23 170.182.178.186.in-addr.arpa. 3582 IN PTR 170.182.178.186.static.pichincha.andinanet.net.
1 186.178.189.236 23 236.189.178.186.in-addr.arpa. 2871 IN PTR 236.189.178.186.static.pichincha.andinanet.net.
1 186.56.147.223 23 223.147.56.186.in-addr.arpa. 82146 IN PTR 186-56-147-223.mrse.com.ar.
1 186.57.50.58 22 58.50.57.186.in-addr.arpa. 82932 IN PTR 186-57-50-58.speedy.com.ar.
1 187.108.150.123 445 123.150.108.187.in-addr.arpa. 3600 IN PTR 187.108.150.123.nqt.com.br.
1 187.123.88.199 23 199.88.123.187.in-addr.arpa. 3600 IN PTR bb7b58c7.virtua.com.br.
1 187.160.216.136 81 136.216.160.187.in-addr.arpa. 24941 IN PTR CableLink-187-160-216-136.PCs.InterCable.net.
1 187.160.217.103 23 103.217.160.187.in-addr.arpa. 24360 IN PTR CableLink-187-160-217-103.PCs.InterCable.net.
1 187.185.113.221 23 221.113.185.187.in-addr.arpa. 3600 IN PTR 187.185.113.221.cable.dyn.cableonline.com.mx.
1 187.87.205.87 23
1 188.49.86.245 23
1 189.219.19.113 23 113.19.219.189.in-addr.arpa. 3600 IN PTR CableLink-189-219-19-113.Hosts.InterCable.net.
1 190.235.230.162 23
1 190.39.93.7 445
1 190.48.228.199 23 199.228.48.190.in-addr.arpa. 83075 IN PTR 190-48-228-199.speedy.com.ar.
1 190.62.151.165 81
1 191.34.101.72 23 72.101.34.191.in-addr.arpa. 81928 IN PTR 191.34.101.72.dynamic.adsl.gvt.net.br.
1 191.82.116.85 22 85.116.82.191.in-addr.arpa. 81973 IN PTR 191-82-116-85.speedy.com.ar.
1 200.77.164.202 717 202.164.77.200.in-addr.arpa. 82571 IN PTR 200-77-164-202.cable.dyn.cablevision.net.mx.
1 200.8.152.168 23
1 200.92.180.72 81 72.180.92.200.in-addr.arpa. 81990 IN PTR customer-MZT-180-72.megared.net.mx.
1 201.10.181.136 23 136.181.10.201.in-addr.arpa. 81472 IN PTR 201-10-181-136.CPCE-MS-MAN-SWTL3-A03.dsl.brasiltelecom.net.br.
1 201.164.201.142 23 142.201.164.201.in-addr.arpa. 82274 IN PTR customer-COL-201-142.megared.net.mx.
1 201.24.92.8 23 8.92.24.201.in-addr.arpa. 81894 IN PTR 201-24-92-8.fnsce701.dsl.brasiltelecom.net.br.
1 201.252.134.197 23 197.134.252.201.in-addr.arpa. 81723 IN PTR host197.201-252-134.telecom.net.ar.
[^^Port 23 is all the rage in Latin America!]

AFRINIC (Africa)

1 196.41.221.58 445
1 197.50.71.27 23 27.71.50.197.in-addr.arpa. 81693 IN PTR host-197.50.71.27.tedata.net.
1 198.50.187.240 1755 240.187.50.198.in-addr.arpa. 81748 IN PTR ddos-protected-l7.198.50.187.240.heavyhost.net.
1 2.184.214.41 7547
1 200.6.170.133 23 133.170.6.200.in-addr.arpa. 82201 IN PTR static-BAFO-200-6-170-133.une.net.co.
1 49.117.21.122 23
1 49.73.95.238 23
1 49.81.146.42 23
1 41.41.84.204 23 204.84.41.41.in-addr.arpa. 81825 IN PTR host-41.41.84.204.tedata.net.
1 41.41.84.204 2323 204.84.41.41.in-addr.arpa. 81820 IN PTR host-41.41.84.204.tedata.net.
[^^Africa is the most well-behaved continent today]

Hits | Port
  107 23 [23 wins! Telnet, likely IOT. More hits than any other port]
  19 1433 [Better not have your database on the Internet. Use layered security (networking)]
  16 22 [Port 22 should be locked down to specific IPs]
  15 5060 [SIP https://www.speedguide.net/port.php?port=5060]
  12 1900 [Block from Internet, upgrade old systems]
  11 445 [Block from Internet, upgrade old systems]
  10 81 [Port 81?? https://isc.sans.edu/forums/diary/WTF+tcp+port+81/22332/ Obsfucating traffic back to C2?]
  10 3389 [Port 3389 should be locked down to specific IPs]
   6 0 [Don't allow invalid ports on your network]
   3 8080
   3 717
   3 3306
   3 2323
   2 808
   2 49867
   2 443
   2 3390
   2 2433
   2 2222
   2 21
   2 1962
   2 137
   2 123
   1 993
   1 9200
   1 8887
   1 8880
   1 8443
   1 8000
   1 80
   1 7991
   1 7777
   1 7547
   1 69
   1 6666
   1 666
   1 65439
   1 63393
   1 623
   1 5986
   1 5985
   1 59108
   1 5901
   1 57845
   1 554
   1 5358
   1 53413
   1 53
   1 52306
   1 523
   1 502
   1 500
   1 49431
   1 47808
   1 44818
   1 4444
   1 4070
   1 4040
   1 3689
   1 3401
   1 3396
   1 3395
   1 3394
   1 3393
   1 3392
   1 338
   1 3357
   1 3333
   1 32761
   1 32175
   1 3128
   1 20366
   1 19
   1 1883
   1 177
   1 1755
   1 17185
   1 16868
   1 1533
   1 12345
   1 110
   1 1099
   1 1022
   1 1021
   1 1020

Saturday, May 20, 2017

Random Internet Connections ~ May 20, 2017

Back where we started. Do it all over again.

Today's list of visitors to a honeypot after just a few hours:

1.148.60.86.in-addr.arpa. 3469 86-60-148-1-dyn-dsl.ssp.fi.
10.99.172.163.in-addr.arpa. 86076 163-172-99-10.rev.poneytelecom.eu.
100.144.224.42.in-addr.arpa. 86266 hn.kd.ny.adsl.
102.222.82.80.in-addr.arpa. 86268 web2.panel1.de.
102.239.125.64.in-addr.arpa. 86266 64.125.239.102.IPYX-103607-ZYO.zip.zayo.com.
104.91.224.177.in-addr.arpa. 86080 customer-COL-91-104.megared.net.mx.
106.173.147.88.in-addr.arpa. 86271 88-147-173-106-cg-nat.san.ru.
106.95.174.93.in-addr.arpa. 3149 battery.census.shodan.io.
108.2.211.91.in-addr.arpa. 19814 hostby.chnet.se.
111.236.86.67.in-addr.arpa. 86266 ool-4356ec6f.dyn.optonline.net.
111.79.162.139.in-addr.arpa. 85400 li1559-111.members.linode.com.
112.0.211.91.in-addr.arpa. 83109 hostby.chnet.se.
116.10.55.45.in-addr.arpa. 1667 worker-4-27b-12.stretchoid.com.
117.233.54.169.in-addr.arpa. 85856 75.e9.36a9.ip4.static.sl-reverse.com.
117.8.227.68.in-addr.arpa. 86266 ip68-227-8-117.lv.lv.cox.net.
118.233.54.169.in-addr.arpa. 85232 76.e9.36a9.ip4.static.sl-reverse.com.
120.117.170.216.in-addr.arpa. 86262 mail.sell4india.com.
123.20.174.190.in-addr.arpa. 86082 190-174-20-123.speedy.com.ar.
123.87.219.189.in-addr.arpa. 3282 CableLink-189-219-87-123.Hosts.InterCable.net.
124.198.81.110.in-addr.arpa. 86074 124.198.81.110.broad.qz.fj.dynamic.163data.com.cn.
126.66.24.201.in-addr.arpa. 86261 201-24-66-126.fnsce701.dsl.brasiltelecom.net.br.
126.66.24.201.in-addr.arpa. 86261 201-24-66-126.jvece702.dsl.brasiltelecom.net.br.
127.53.4.122.in-addr.arpa. 1271 127.53.4.122.broad.jn.sd.dynamic.163data.com.cn.
129.31.106.177.in-addr.arpa. 53679 177-106-031-129.xd-dynamic.algarnetsuper.com.br.
130.55.65.95.in-addr.arpa. 86273 95-65-55-130.starnet.md.
131.135.6.71.in-addr.arpa. 42488 census7.shodan.io.
131.151.38.89.in-addr.arpa. 86271 host131-151-38-89.static.arubacloud.com.
133.127.159.178.in-addr.arpa. 3282 host-178-159-127-133.mirgiga.net.
136.93.174.93.in-addr.arpa. 1479 no-reverse-dns-configured.com.
139.70.219.189.in-addr.arpa. 3281 CableLink-189-219-70-139.Hosts.InterCable.net.
139.77.82.80.in-addr.arpa. 592 dojo.census.shodan.io.
14.247.188.80.in-addr.arpa. 86268 14.247.broadband.iol.cz.
140.161.54.122.in-addr.arpa. 86083 122.54.161.140.pldt.net.
142.55.249.134.in-addr.arpa. 86074 134-249-55-142.broadband.kyivstar.net.
15.99.13.103.in-addr.arpa. 86073 static-103-13-99-15.ctrls.in.
151.64.118.46.in-addr.arpa. 86268 46-118-64-151.broadband.kyivstar.net.
152.239.125.64.in-addr.arpa. 86266 64.125.239.152.IPYX-103607-ZYO.zip.zayo.com.
152.46.98.91.in-addr.arpa. 86272 91.98.46.152.pol.ir.
153.122.212.141.in-addr.arpa. 575 researchscan408.eecs.umich.edu.
154.122.212.141.in-addr.arpa. 576 researchscan409.eecs.umich.edu.
154.163.160.187.in-addr.arpa. 28479 CableLink-187-160-163-154.PCs.InterCable.net.
155.242.238.177.in-addr.arpa. 3281 177.238.242.155.cable.dyn.cableonline.com.mx.
155.36.2.190.in-addr.arpa. 86083 customer-static-2-36-155.iplannetworks.net.
155.57.19.187.in-addr.arpa. 86080 187-19-57-155.dynamic.infolic.net.br.
155.6.219.189.in-addr.arpa. 3281 CableLink-189-219-6-155.Hosts.InterCable.net.
155.63.92.200.in-addr.arpa. 86260 customer-MZT-63-155.megared.net.mx.
156.58.210.34.in-addr.arpa. 165 ec2-34-210-58-156.us-west-2.compute.amazonaws.com.
16.229.212.173.in-addr.arpa. 85553 vmi118265.contaboserver.net.
161.13.250.88.in-addr.arpa. 43071 88.250.13.161.dynamic.ttnet.com.tr.
161.169.211.181.in-addr.arpa. 6882 161.169.211.181.static.pichincha.andinanet.net.
161.63.15.51.in-addr.arpa. 60 probe1.sisyphe.io.
162.2.46.178.in-addr.arpa. 3281 adsl-178-46-2-162.muravlenko.ru.
162.219.110.200.in-addr.arpa. 42887 static162.219.110.200.cps.com.ar.
162.59.16.190.in-addr.arpa. 86082 162-59-16-190.fibertel.com.ar.
165.216.9.95.in-addr.arpa. 43074 95.9.216.165.dynamic.ttnet.com.tr.
166.158.6.71.in-addr.arpa. 43066 ninja.census.shodan.io.
169.167.56.186.in-addr.arpa. 86079 186-56-167-169.mrse.com.ar.
179.74.8.176.in-addr.arpa. 86079 176-8-74-179.broadband.kyivstar.net.
182.47.76.144.in-addr.arpa. 86076 static.182.47.76.144.clients.your-server.de.
183.158.240.88.in-addr.arpa. 43071 88.240.158.183.dynamic.ttnet.com.tr.
184.13.55.45.in-addr.arpa. 1667 worker-4-27b-100.stretchoid.com.
188.113.213.176.in-addr.arpa. 3278 176x213x113x188.dynamic.tula.ertelecom.ru.
188.6.87.115.in-addr.arpa. 86075 ppp-115-87-6-188.revip4.asianet.co.th.
190.134.118.79.in-addr.arpa. 86268 79-118-134-190.rdsnet.ro.
190.49.102.94.in-addr.arpa. 1452 flower.census.shodan.io.
190.57.92.200.in-addr.arpa. 86260 customer-MZT-57-190.megared.net.mx.
191.72.162.139.in-addr.arpa. 86075 li1552-191.members.linode.com.
193.72.128.217.in-addr.arpa. 172662 LMontsouris-656-1-142-193.w217-128.abo.wanadoo.fr.
198.23.0.122.in-addr.arpa. 89677 static-122-0-23-198.mykris.net.
198.241.154.195.in-addr.arpa. 79427 195-154-241-198.rev.poneytelecom.eu.
199.12.51.42.in-addr.arpa. 166 htuidc.bgp.ip.
2.247.232.221.in-addr.arpa. 86263 2.247.232.221.broad.wh.hb.dynamic.163data.com.cn.
2.46.249.88.in-addr.arpa. 43071 88.249.46.2.static.ttnet.com.tr.
20.0-26.47.82.74.in-addr.arpa. 85795 scan-11d.shadowserver.org.
20.47.82.74.in-addr.arpa. 85795 20.0-26.47.82.74.in-addr.arpa.
205.186.29.174.in-addr.arpa. 42876 174-29-186-205.hlrn.qwest.net.
207.157.227.125.in-addr.arpa. 42873 125-227-157-207.HINET-IP.hinet.net.
212.113.162.139.in-addr.arpa. 86075 li1597-212.members.linode.com.
215.52.0.194.in-addr.arpa. 172485 194-52-0-215.pool.axon-isp.net.
222.111.64.27.in-addr.arpa. 86264 localhost.
223.148.32.114.in-addr.arpa. 42875 114-32-148-223.HINET-IP.hinet.net.
228.217.238.177.in-addr.arpa. 3280 177.238.217.228.cable.dyn.cableonline.com.mx.
229.14.70.193.in-addr.arpa. 86083 ns3063393.ip-193-70-14.eu.
229.251.9.221.in-addr.arpa. 86264 229.251.9.221.adsl-pool.jlccptt.net.cn.
23.152.191.37.in-addr.arpa. 86266 23.37-191-152.fiber.lynet.no.
23.169.75.211.in-addr.arpa. 43062 211-75-169-23.HINET-IP.hinet.net.
23.51.154.195.in-addr.arpa. 86085 195-154-51-23.rev.poneytelecom.eu.
230.252.193.104.in-addr.arpa. 82921 edwardmurphy.clientshostname.com.
230.66.77.128.in-addr.arpa. 258874 cm-128.77.66.230.getinternet.no.
234.174.92.200.in-addr.arpa. 86260 customer-MZT-174-234.megared.net.mx.
234.37.186.113.in-addr.arpa. 86075 localhost.
236.215.27.92.in-addr.arpa. 6884 host-92-27-215-236.static.as13285.net.
238.7.39.77.in-addr.arpa. 3467 host-77-39-7-238.stv.ru.
240.192-26.247.105.184.in-addr.arpa. 86400
240.247.105.184.in-addr.arpa. 86400 240.192-26.247.105.184.in-addr.arpa.
242.97.173.201.in-addr.arpa. 7060 CableLink-173-97-242.CPE.InterCable.net.
246.10.68.106.in-addr.arpa. 86073 106-68-10-246.dyn.iinet.net.au.
246.32.92.200.in-addr.arpa. 86259 customer-MZT-32-246.megared.net.mx.
247.213.60.187.in-addr.arpa. 86081 247.213.60.187.dynamic.ampernet.com.br.
25.22.23.187.in-addr.arpa. 3280 bb171619.virtua.com.br.
25.75.202.196.in-addr.arpa. 86086 host-196.202.75.25-static.tedata.net.
251.145.45.70.in-addr.arpa. 86266 dynamic.libertypr.net.
253.138.173.201.in-addr.arpa. 7060 CableLink-173-138-253.CPE.InterCable.net.
254.140.81.191.in-addr.arpa. 86082 191-81-140-254.speedy.com.ar.
26.239.125.64.in-addr.arpa. 86266 64.125.239.26.IPYX-103607-ZYO.zip.zayo.com.
27.174.56.27.in-addr.arpa. 28664 abts-north-dynamic-27.174.56.27.airtelbroadband.in.
31.52.255.201.in-addr.arpa. 86261 201-255-52-31.mrse.com.ar.
33.236.27.64.in-addr.arpa. 86266 host-64.27.236.33.shawneelink.net.
4.105.118.46.in-addr.arpa. 86267 46-118-105-4.broadband.kyivstar.net.
4.68.253.94.in-addr.arpa. 604673 94-253-68-4.dynvpn.flex.ru.
41.154.8.176.in-addr.arpa. 86078 176-8-154-41.broadband.kyivstar.net.
43.157.232.41.in-addr.arpa. 86265 host-41.232.157.43.tedata.net.
49.137.61.185.in-addr.arpa. 300 hosted-by.blazingfast.io.
52.109.27.198.in-addr.arpa. 86086 ip52.ip-198-27-109.net.
53.61.8.31.in-addr.arpa. 86265 h31-8-61-53.dyn.bashtel.ru.
54.89.10.83.in-addr.arpa. 86269 ackn54.neoplus.adsl.tpnet.pl.
56.135.175.1.in-addr.arpa. 86074 1-175-135-56.dynamic-ip.hinet.net.
56.64.153.189.in-addr.arpa. 89681 dsl-189-153-64-56-dyn.prod-infinitum.com.mx.
57.56.175.110.in-addr.arpa. 172473 110-175-56-57.static.tpgi.com.au.
61.246.248.5.in-addr.arpa. 86269 5-248-246-61.broadband.kyivstar.net.
64.136.160.122.in-addr.arpa. 85187 abts-north-static-064.136.160.122.airtelbroadband.in.
65.12.55.45.in-addr.arpa. 1667 worker-4-27b-51.stretchoid.com.
65.152.69.177.in-addr.arpa. 53681 177-069-152-065.static.ctbctelecom.com.br.
65.64.177.14.in-addr.arpa. 3275 static.vnpt.vn.
67.206.218.216.in-addr.arpa. 86400 67.64-26.206.218.216.in-addr.arpa.
67.234.129.186.in-addr.arpa. 86079 186-129-234-67.speedy.com.ar.
67.64-26.206.218.216.in-addr.arpa. 86400
7.90.32.120.in-addr.arpa. 86078 7.90.32.120.broad.fz.fj.dynamic.163data.com.cn.
71.145.236.177.in-addr.arpa. 3280 177.236.145.71.cable.dyn.cableonline.com.mx.
73.4.39.179.in-addr.arpa. 86082 179-39-4-73.speedy.com.ar.
73.66.15.51.in-addr.arpa. 60 73-66-15-51.rev.cloud.scaleway.com.
74.128.1.168.in-addr.arpa. 86076 4a.80.01a8.ip4.static.sl-reverse.com.
77.79.119.46.in-addr.arpa. 86268 46-119-79-77.broadband.kyivstar.net.
79.183.178.186.in-addr.arpa. 6879 79.183.178.186.static.pichincha.andinanet.net.
79.199.60.86.in-addr.arpa. 3470 86-60-199-79-Dyn-dsl.ssp.fi.
83.223.155.195.in-addr.arpa. 86086 host-195-155-223-83.reverse.superonline.net.
84.244.54.169.in-addr.arpa. 85189 54.f4.36a9.ip4.static.sl-reverse.com.
86.204.116.45.in-addr.arpa. 120 undefined.hostname.localhost.
88.20.2.104.in-addr.arpa. 6873 104-2-20-88.lightspeed.rcsntx.sbcglobal.net.
89.244.81.148.in-addr.arpa. 42877 89.244.81.148.in-addr.arpa.imm.org.pl.
93.84.14.5.in-addr.arpa. 86269 5-14-84-93.residential.rdsnet.ro.
98.83.243.123.in-addr.arpa. 172483 123-243-83-98.static.tpgi.com.au.

Thursday, December 10, 2015

Security Automation and AWS

In the past I was primarily a software engineer who blogged about software engineering and technology and was exploring and researching security. Now I am moving towards being a security professional that uses software to automate security, networking and compliance. For this reason my old blog has much more information and this one is currently a bit sparse. That, and the fact that a lot of my recent writings now reside on an internal blog for my company to help our developers at my job. Hopefully I will find time to write more here in 2016.

About two years ago, I made a few changes to align with the work I want to focus on in the future, which is based on work I found most interesting in the past. This entails AWS, security, automating complex processes and analyzing data - especially network traffic and financial data. I was accepted into the Master of Security Engineering from SANS Institute program the same month I started the Seattle AWS Architects and Engineers Meet Up. Through the SANS program I wrote a case study on the Target Breach, a security awareness kit for cloud developers, and have have obtained multiple SANS certifications. Additionally I have obtained AWS certification and as you can see the meet up has grown quite large.

Many of the projects on my resume are related to automation of processes. I need to add to this list the process for IP allocations and deploying security groups, subnets and NACLs for applications in over 60 VPCs for multiple lines of businesses. As for data analysis and security, around 2005, I wrote a WAF (web application firewall) after discovering via network traffic anomalies that my web server was hacked. The early pages of this blog include some traffic analysis from someone who was quite clueless about network traffic when I started doing this. By the time I was through I was able to very granularly control who got access to the forms and pages on my web sites based on network traffic, visitor fingerprinting and http request profiles.

Now I am studying packet headers in an advanced intrusion detection class and pen testing, and thinking about how all the things we are doing in information security can be automated. The number of ways systems can and are being compromised is mind-boggling. It is clear that it is not feasible for human review of complex designs that span applications, databases and data warehousing, networking, email systems, storage, back up systems, proxies, domain controllers and much more to prevent all vulnerabilities. Changes are constant and required for a business to innovate and remain competitive. The only way to keep up with the constant change and provide adequate security review, compliance and auditing is through security automation.

AWS is, in a way, the automation of processes revolving around configuration management. It is pure genius. I used to think when I was driving down to my rack at Internap to reboot a server, or attempting to change a hard drive in a custom built server (and frying it because I put the wires in backwards) what a pain it was and if someone could just automate all these horribly manual things their company would explode exponentially. It wasn't a business I particularly wanted to run - I hired someone to run my back ups because these things bore me to the point I don't trust myself to do it. But I wanted someone to do it. And Amazon has. All these manual, time wasting, error prone things we do in data centers and software deployments can be automated, so we software people who live in the logical realm and are not fans of boxes and wires can focus on other things.

When I requested to join the AWS team at Capital One, I had been evangelizing AWS at work (even sent our CIO a link to the Gartner report and a presentation I made after attending the AWS architecture training) but I had no idea at that point the speed at which AWS would be adopted at Capital One or that plans were underway to have our CIO speak at re:Invent in 2015. I simply believed that AWS had matured to the point it was highly feasible for use even at a financial institution, not to mention the benefits it provides to companies trying to remove barriers to innovation. The security processes used by AWS were better than things I had seen being done internally at any company where I had ever worked. The list of certifications offered by AWS Compliance is impressive. I also felt that the speed at which you can automate was unbeatable. The rate at which Amazon produces new features that make development easier cannot be matched by most companies trying to create an internal cloud.

In my opinion, the biggest value AWS provides for security, are tools to manage your inventory, the state of your environment, event triggers and auditing. The things you lose by not running everything yourself are offset by contracts that state what Amazon is responsible for and the ability to have separation of duties and 3rd party auditing of actions taken on the AWS platform by people in your organization. Of course you still need to implement things correctly on AWS to maintain security - but there are a lot of security tools which, for most companies, make things a lot easier and more secure than what they are currently doing in house at this time.

For this reason I'm a huge fan of AWS and hoping to pick up more projects related to security and automation both at work and through my side business on this platform. Hopefully I will be able to find some time to add some additional thoughts here in the near future about how AWS can help companies improve their security posture, if implemented using AWS and security best practices.

If you happen to be reading this prior to January 18, 2016, please register for our upcoming Seattle AWS Architects & Engineers meet up with Evident.io - which will also cover some of these security and automation topics.

Thursday, January 01, 2015

Curl

Curl is a like a browser that runs from a command line to get content from a web site. I'll explain that in five pieces:

1. View a web page in a browser
2. View the source for that page
3. Use Curl to get source for a page
4. Why is this useful?
5. How can it be detected?

1. View a web page in a browser

To get to a web page you type the URL in a browser.

For example:


What you really received when you requested that web page was a file containing code that your browser interprets and transforms into something you understand.

2. View the source for that page

If you want to see the code you can do the follow these steps below:



You'll see something like this:



3. Use Curl to get source for a page

Note: download all open source software at your own risk.

Download curl: http://curl.haxx.se/


Open a command window.

To get the code for a web site (preferably your own - please read last section):

curl [web site url] 


Just like with a web browser it will get the source:


View help:

curl -h 

To put the source you requested into a file:

curl [url] > [file]

curl radicalsoftware.com > radicalsoftware.html

The command above puts the source for radicalsoftware.com into a file called radicalsoftware.html

To see if a specific string exists in the code you retrieved, you can use grep on Linux:

curl [url] | grep [string]

For example if I want to see if there is a line of code in the source that contains the string "F5" I can do that as follows:

I worked on one project at F5 Networks troubleshooting some Java code that was crashing during performance testing, so there's one line of code on my web site with a link to F5 and that line shows up as the output of my command.


3. Why is this useful?

There are many potential uses, good and not so nice. Here are a few:
  • Monitor a web site for a particular value to ensure it is up and running
  • Monitor a web site to see if a particular value appears on that web site that wasn't there originally
  • Monitor your web site content to ensure it was not altered between deployments (one of multiple ways to do this)
  • Scrape all the content from a web site by spidering through all the urls to evaluate the content offline by an automated program (hackers, competitors)
  • Scrape all the visible content from a web site when you don't have FTP or other access to the source code. Generally this is probably illegal activity because anyone who owned a web site would be accessing it through alternative, more efficient means.
  • Automated submission of web requests for performance, security and automated testing -- or for someone trying to use a site in a non-standard, automated way.

3. How can this be detected?
  • Automated traffic from non-sophisticated users of this and related tools will have obvious request headers indicating this is not human traffic.
  • Automated traffic typically has different traffic patterns that doesn't  match human traffic patterns.
  • Excessive, repetitive traffic generally is not human, though it could be an entire organization behind a proxy server.
  • The source IP may be spoofed or compromised, but you can see the IP address sending excessive or repetitive traffic and block it.
  • Abnormal paths through web sites may indicate a non-human visitor.
  • Traffic from IPs in parts of the world where you don't do business is indication of potential mischief.
  • Placing honey tokens and pages you don't advertise on your web site and then watching for traffic hitting those tokens is indication of a potential bot.
  • In my case back in 2005 I wrote a kind of web application filter that would analyze requests and block traffic like this. It's not running at the time of this writing. You can see the results of traffic I discovered in this blog's history. Now there are commercial web application firewalls that do similar things.

Saturday, September 13, 2014

Target Breach Case Study

I was curious about what happened exactly in the Target Breach (as much as can be gleaned from publicized documents) and how such a breach might be prevented.

Since I had just started my expedition into the SANS Institute Master of Information Security Engineering program and had to write a paper, one of the options being a case study, this sounded like as good of topic as any. I talked to the SANS instructors that sent me down the path of white listing software and hardware encryption. I was also able to use the knowledge gained in SANS 5100 - Enterprise Information Security, otherwise known as Security Essentials, Bootcamp Style.

I was then very fortunate to be able to connect with security experts related to POS devices with hardware encryption, a security leader in a major retail organization and a deputy CISO who spoke at an event I attended on the issues faced by security professionals in the current environment.

The whole experience was very gratifying and I greatly appreciate the help from both the people at SANS Institute and the industry contacts, some of whom went to great lengths to help understand technologies involved and review the paper in great detail.

I hope others will find ways to prevent further credit card breaches by understanding the nature of the attacks and the pros and cons of the proposed solutions.

One big take away from the paper was that EMV chips protect people's cards  doesn't always work. It seems to me it would be better to prevent the data from being stolen in the first place. There was a lot of publicity about EMV cards after the Target breach which distracted from the reasons the credit cards got stolen in the first place. 

Since I wrote the paper have been reading about VISA's token service, which basically uses a token instead of the actual credit card in the transaction process. This protects the credit card number itself, however if the token is stolen I would think that could be used just as the credit card would be. [edit: met a guy at a meet up who says the tokens are ever only used once - like a nonce? Also card on chip is protected so if you destroy the magstripe failover is not possible. Also Apple is trying to be the pin provider - kind of like multi factor authentication I would guess - but I haven't really looked into any of this myself). My initial take is that minimum it is a way for banks to replace the token without having to issue a new credit card and change your credit card account, which in the Target case cost them about $200M. I have not yet researched how this would work with old school POS machines and would assume retailers that had not upgraded would be subject to the same fail over problem as as the EMV chip solution (possibly unless you destroy the mag stripe). Maybe I will look into this more later, but right now I have to move on to another class and a new topic.

Tokens and EMV are great ideas, but don't solve the underlying security problems that cause the credit card data (or tokens) from getting stolen in the first place. Which brings more value - protection after the fact or underlying security - depends on your place in the credit card food chain (banks paid a lot of money to replace credit cards and refund invalid transactions in the Target case) and how fast all retailers update their equipment to use this new technology. Both would probably be ideal and improved detection of the theft is probably even more critical.

Another point was reiterated by everyone I spoke with, is that compliance does not equal security. The compliance check lists don't cover all the threats and can't keep up with the number and complexity of the customized attacks.

Understanding network traffic seems like a very important issue given the fact that trusted ports were tunneled and networking equipment designed to prevent malicious traffic for the particular protocols supposedly running on those ports were bypassed.  

Not having enough or adequately trained security staff also seemed to be a factor.

Some of the security experts I met with felt that this must have been an inside job at least in part, however I could not find documentation to support this theory so left it out of the paper.

Overall it was a great experience and I hope some people find value in reading it. I'd love to get feedback.

The paper is now published in the SANS Reading Room - whitepapers section:



Saturday, July 19, 2014

Spam

I noticed recently that Brian Krebs, well known (infamous among hackers) security blogger, is writing a book called Spam Nation which is available for pre-ordering on Amazon:

Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door

Then I ran across this interesting blog post about stock spam and the spam kings:

http://krebsonsecurity.com/2012/01/pharma-wars-google-the-cutwail-botmaster/

Spam is what started me down this whole security path. I wondered why the heck I was getting 900 spam messages per day. I started correlating the headers and I figured out that the same messages are coming out of servers of large companies like HP and Microsoft as well as smaller companies. I started reporting the spam but no one would do anything about it. I wasn't sure if anyone was really even paying attention to the emails so eventually I stopped reporting and just blocked IPs sending spam from my servers and blogged about it.

I wonder if this stock spammer noted in the post above was responsible for the spam being generated on my server in 2006 which I wrote about in these blog posts:

http://randominternet.blogspot.com/2006/10/stock-spam.html

http://randominternet.blogspot.com/2006/07/port-25-check-it.html

When I reported that my server was hacked to my hosting company in 2006 because it was generating traffic on port 25 that wasn't from any my systems, they didn't believe me (Rackspace). I was running an online hostel booking system for someone I met in Australia that was clearly hacked. I pinned down anomalous traffic and order patterns. Whenever I restarted my web server, it would get hit in quick succession by five random IP addresses - and it was a very low volume web server. I would then get one small order and no more. I was able to stop the malware initially by turning of my mail server. Miraculously shutting down my mail server and blocking traffic on port 25 resulted in a huge increase in bookings. Then an odd thing happened. My "customer" in Australia who purchased the business from the original customer complained they were getting too many bookings and wasn't getting emails. My next step was to turn off the services one by one until I determined which one was sending the spam. Suddenly my "customer" called and cancelled the web site after the bookings increased once again. It was all very odd.

Now I'm pretty sure that the hack was somehow tunneling through SMTP or at least using SMTP to send messages related to the attack. I have never believed that spam is just spam. There is no way that many people are buying Viagra from a random email. Given that hackers used ICMP traffic to send data between systems in the Target breach I have even more inclination to believe that spam is being used for covert communications that is not all spam or possibly used in some other way to infiltrate systems or remove data.

I had to fight to get my outbound firewall logs turned on to show me all the GOOD traffic back in 2006. I was told not to worry, I have a firewall. It's all just noise. The first sys admin wouldn't do it for me. I called back later in the evening when I knew a different person would pick up the phone and had a better idea what to ask for so I sounded like I knew what I was talking about. (I was a bit clueless then trying to figure things out with no help from anyone).

When I was able to pinpoint the malicious activity and showed my hosting company the traffic on port 25 that wasn't mine, no one would believe me. They said they ran a virus checker and everything was fine. In fact, I got the boot from RackSpace. They paid me to go away.

Do you believe me now?

Not that I care anymore. 

I'm just really curious what the book will say and if it will give me any additional insight.

Sunday, June 29, 2014

Amazon Account Phishing Email

Amazon phishing email...
                            
Delivered-To: xxxxxxxxxxx@gmail.com
Received: by 10.202.197.131 with SMTP id v125csp390758oif;
        Fri, 20 Jun 2014 17:13:32 -0700 (PDT)
X-Received: by 10.180.189.79 with SMTP id gg15mr7635763wic.0.1403309611555;
        Fri, 20 Jun 2014 17:13:31 -0700 (PDT)
Return-Path:  postmaster@lucklucky.net>
Received: from smtplqs-out38.aruba.it (smtplqs-out36.aruba.it. [62.149.158.76])
        by mx.google.com with ESMTP id f9si4695864wie.75.2014.06.20.17.13.30
        for  xxxxxxxxxxx@gmail.com>;
        Fri, 20 Jun 2014 17:13:31 -0700 (PDT)
Received-SPF: none (google.com: postmaster@lucklucky.net does not designate permitted sender hosts) client-ip=62.149.158.76;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: postmaster@lucklucky.net does not designate permitted sender hosts) smtp.mail=postmaster@lucklucky.net
Received: from webxc45s05.ad.aruba.it ([62.149.145.47])
 by smartcmd04.ad.aruba.it with bizsmtp
 id GoDW1o00c11am7y01oDWtF; Sat, 21 Jun 2014 02:13:30 +0200
Received: (qmail 21984 invoked by uid 19142416); 21 Jun 2014 00:13:30 -0000
Date: 21 Jun 2014 00:13:30 -0000
Message-ID:  20140621001330.21982.qmail@webxc45s05.ad.aruba.it>
To: xxxxxxxxxxx@gmail.com
Subject: update your account
X-PHP-Originating-Script: 19142416:send.php(2) : eval()'d code
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: amazon  postmaster@lucklucky.net>
 html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
xmlns="http://www.w3.org/TR/REC-html40">
 head>
 meta http-equiv=Content-Type content="text/html; charset=windows-1252">
 meta name=ProgId content=Word.Document>
 meta name=Generator content="Microsoft Word 12">
 meta name=Originator content="Microsoft Word 12">
 link rel=Edit-Time-Data href="amazon_fichiers/editdata.mso">
 title>Mise à jour de vos informations n /title>
 !--
 /* Font Definitions */
 @font-face
 {font-family:"Cambria Math";
 panose-1:0 0 0 0 0 0 0 0 0 0;
 mso-font-charset:1;
 mso-generic-font-family:roman;
 mso-font-format:other;
 mso-font-pitch:variable;
 mso-font-signature:0 0 0 0 0 0;}
@font-face
 {font-family:Tahoma;
 panose-1:2 11 6 4 3 5 4 4 2 4;
 mso-font-charset:0;
 mso-generic-font-family:swiss;
 mso-font-pitch:variable;
 mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
@font-face
 {font-family:"Lucida Sans";
 panose-1:2 11 6 2 3 5 4 2 2 4;
 mso-font-charset:0;
 mso-generic-font-family:swiss;
 mso-font-pitch:variable;
 mso-font-signature:3 0 0 0 1 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
 {mso-style-unhide:no;
 mso-style-qformat:yes;
 mso-style-parent:"";
 margin:0cm;
 margin-bottom:.0001pt;
 mso-pagination:widow-orphan;
 font-size:12.0pt;
 font-family:"Times New Roman","serif";
 mso-fareast-font-family:"Times New Roman";
 mso-fareast-theme-font:minor-fareast;}
a:link, span.MsoHyperlink
 {mso-style-priority:99;
 color:blue;
 mso-themecolor:hyperlink;
 text-decoration:underline;
 text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
 {mso-style-noshow:yes;
 mso-style-priority:99;
 color:purple;
 mso-themecolor:followedhyperlink;
 text-decoration:underline;
 text-underline:single;}
p
 {mso-style-noshow:yes;
 mso-style-priority:99;
 mso-margin-top-alt:auto;
 margin-right:0cm;
 mso-margin-bottom-alt:auto;
 margin-left:0cm;
 mso-pagination:widow-orphan;
 font-size:12.0pt;
 font-family:"Times New Roman","serif";
 mso-fareast-font-family:"Times New Roman";
 mso-fareast-theme-font:minor-fareast;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
 {mso-style-noshow:yes;
 mso-style-priority:99;
 mso-style-link:"Texte de bulles Car";
 margin:0cm;
 margin-bottom:.0001pt;
 mso-pagination:widow-orphan;
 font-size:8.0pt;
 font-family:"Tahoma","sans-serif";
 mso-fareast-font-family:"Times New Roman";
 mso-fareast-theme-font:minor-fareast;}
span.TextedebullesCar
 {mso-style-name:"Texte de bulles Car";
 mso-style-noshow:yes;
 mso-style-priority:99;
 mso-style-unhide:no;
 mso-style-locked:yes;
 mso-style-link:"Texte de bulles";
 mso-ansi-font-size:8.0pt;
 mso-bidi-font-size:8.0pt;
 font-family:"Tahoma","sans-serif";
 mso-ascii-font-family:Tahoma;
 mso-fareast-font-family:"Times New Roman";
 mso-fareast-theme-font:minor-fareast;
 mso-hansi-font-family:Tahoma;
 mso-bidi-font-family:Tahoma;}
p.auto-style81, li.auto-style81, div.auto-style81
 {mso-style-name:auto-style81;
 mso-style-noshow:yes;
 mso-style-priority:99;
 mso-style-unhide:no;
 mso-margin-top-alt:auto;
 margin-right:0cm;
 mso-margin-bottom-alt:auto;
 margin-left:0cm;
 mso-pagination:widow-orphan;
 font-size:12.0pt;
 font-family:"Times New Roman","serif";
 mso-fareast-font-family:"Times New Roman";
 mso-fareast-theme-font:minor-fareast;}
.MsoChpDefault
 {mso-style-type:export-only;
 mso-default-props:yes;
 font-size:10.0pt;
 mso-ansi-font-size:10.0pt;
 mso-bidi-font-size:10.0pt;}
@page Section1
 {size:595.3pt 841.9pt;
 margin:72.0pt 90.0pt 72.0pt 90.0pt;
 mso-header-margin:35.4pt;
 mso-footer-margin:35.4pt;
 mso-paper-source:0;}
div.Section1
 {page:Section1;}
-->
 /style>
 !--[if gte mso 10]>
 style>
 /* Style Definitions */
 table.MsoNormalTable
 {mso-style-name:"Tableau Normal";
 mso-tstyle-rowband-size:0;
 mso-tstyle-colband-size:0;
 mso-style-noshow:yes;
 mso-style-priority:99;
 mso-style-qformat:yes;
 mso-style-parent:"";
 mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
 mso-para-margin:0cm;
 mso-para-margin-bottom:.0001pt;
 mso-pagination:widow-orphan;
 font-size:10.0pt;
 font-family:"Times New Roman","serif";}
 /style>
 ![endif]-->
 meta http-equiv=Content-Language content=fr>
 !--[if gte mso 9]> xml>
  o:shapelayout v:ext="edit">
   o:idmap v:ext="edit" data="1"/>
  /o:shapelayout> /xml> ![endif]-->
 /head>
 body lang=FR link=blue vlink=purple style='tab-interval:35.4pt'>
 div class=Section1>
 div align=center>
 table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=500
 style='width:375.0pt;mso-cellspacing:0cm;mso-yfti-tbllook:1184;mso-padding-alt:
 0cm 0cm 0cm 0cm'>
  tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes;
  height:22.5pt'>
   td style='padding:0cm 0cm 0cm 0cm;height:22.5pt'>
   div align=center>
   table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=489
   style='width:366.75pt;mso-cellspacing:0cm;background:#F1F1F1;mso-yfti-tbllook:
   1184;mso-padding-alt:0cm 0cm 0cm 0cm'>
    tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
     td style='padding:0cm 0cm 0cm 0cm'>
     div align=center>
     table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=490
     style='width:367.5pt;mso-cellspacing:0cm;background:#F1F1F1;mso-yfti-tbllook:
     1184;mso-padding-alt:0cm 0cm 0cm 0cm'>
      tr style='mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes'>
       td width=490 style='width:367.5pt;padding:0cm 0cm 16.5pt 0cm'>
       div>
       p class=MsoNormal style='line-height:15.0pt'> strong> span lang=EN style='font-size:9.0pt;font-family:"Lucida Sans","sans-serif";
      mso-fareast-font-family:"Times New Roman";color:lime;mso-ansi-language:
      EN'>Dear xxxxxxxxxxx@gmail.com
, html xmlns="http://www.constantcontact.com/cctd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://www.constantcontact.com/cctd http://origin.ih.constantcontact.com/schemas/CCEM8templates.xsd">
 head>
   meta http-equiv="Content-Language" content="fr">
   meta name="GENERATOR" content="Microsoft FrontPage 6.0">
   meta name="ProgId" content="FrontPage.Editor.Document">
 
   title>Mise à jour de vos informations n /title>
 style>
.MainBorder {
 background-color: #CCCCCC;
 padding: 1px;
}
.body {
 background-color: #FFFFFF;
 margin : 0px 0px 0px 0px;
}
.MainBG {
 background-color: #FFFFFF;
}
.MainText {
 title: Main Text;
 font-family: Arial, Helvetica, sans-serif;
 font-size: x-small;
 color: #000000;
}
.GraphText {
 title: Graph Text;
 font-family: Arial, Helvetica, sans-serif;
 font-size: xx-small;
 color: #111111;
}
.CClink1 {
 font-family: Arial, Helvetica, sans-serif;
 font-size: x-small;
 color: #3E69BD;
}
.TemplateWidth {
 width: 600px;
}
.TemplatePad {
 padding: 0 15px 15px 15px;
}
.GraphBG {
 background-color:#4E81BD;
}
.BarBG {
 background-color:#ffffff;
}
.StatTable {
 background-color:#F5F5F5;
}
.HiLight {
 font-family:Arial, Helvetica, sans-serif;
 color:#357E86;
 font-size:x-small;
}
.HiLight2 {
 font-family:Arial, Helvetica, sans-serif;
 color:#357E86;
 font-size:x-large;
 letter-spacing: -2px;
}
.TableHdr {
 font-family:Arial, Helvetica, sans-serif;
 background-color: #E7F2F4;
 color:#357E86;
 font-size:small;
}
.TableHdrBrdr {
 border-top:1px solid #E7F2F4;
 border-bottom:1px solid #E7F2F4;
 background-color:#F3F3F3;
}
 /style>
 /head>
 body leftmargin="0" rightmargin="0" topmargin="0">
   html xmlns="http://www.constantcontact.com/cctd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://www.constantcontact.com/cctd http://origin.ih.constantcontact.com/schemas/CCEM8templates.xsd">
 body leftmargin="0" rightmargin="0" topmargin="0">
 p style="color: rgb(51, 51, 51); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 1px 0pt 8px; font-family: Arial, sans-serif; font-size: 12px; line-height: 16px; background-color: rgb(241, 241, 241);">
Your account will expire in less than 48 hours. br>
it is imperative to conduct an audit of your information is present, otherwise
your account will be destroyed . Just click the link below and log in using your
email and password. /p>
 table border="0" cellpadding="0" cellspacing="0" class="callToAction" style="font-family: Verdana, Arial, Helvetica, sans-serif; letter-spacing: normal; orphans: auto; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 0px 0px 10px; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; background-color: rgb(241, 241, 241);">
  tr>
   td bgcolor="#ffa822" class="actionLinkContainer" style="margin: 0px; padding: 1px 10px; border-width: 1px; border-style: solid; border-color: rgb(191, 191, 191) rgb(144, 141, 141) rgb(144, 141, 141) rgb(191, 191, 191);">
   a style="color: rgb(8, 68, 130); text-decoration: underline;" href="http://sasn.mcafee.com/l?v=0&ui=0&spid=rssmountain&p=000c0000000000000000000000000000&url=https://gator4083.hostgator.com/~coachmur/gettingpaidtobefit.com/readme.php">by
  clicking here /a> /td>
  /tr>
 /table>
 p style="color: rgb(51, 51, 51); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 1px 0pt 8px; font-family: Arial, sans-serif; font-size: 12px; line-height: 16px; background-color: rgb(241, 241, 241);">
For more information, see span class="Apple-converted-space">  /span> a style="color: rgb(8, 68, 130); text-decoration: underline;" href="">Questions
and answers /a>. /p>
 p style="color: rgb(51, 51, 51); font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(241, 241, 241);">
Sincerely, br>
Amazon /p>
 p style="color: rgb(51, 51, 51); font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(241, 241, 241);">
Copyright  2014 amazon, Inc. All rights reserved. amazon is located at 2211 N.
First St., San Jose, CA 95131.

Target Breach and releated POS Breach Articles

Articles about the target breach:

Overview:
http://www.businessinsider.com/target-credit-card-hackers-2013-12

Number of cards updated to 70 million
http://mobile.eweek.com/security/target-data-breach-affected-70m-much-more-than-earlier-estimates.html

Timeline:
http://www.ibtimes.com/timeline-targets-data-breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056

Missed alerts:
http://www.npr.org/2014/03/13/289836952/report-target-missed-its-chance-to-prevent-data-breach

Human considerations:
http://www.eweek.com/security/preventing-targets-troubles-locking-the-door-against-data-breaches.html

Federal lawsuit
http://www.nationaljournal.com/tech/senate-report-target-could-have-prevented-massive-hack-20140325

Removal of corporate officers:
http://www.insidecounsel.com/2014/05/30/inadequate-data-breach-preparation-response-should

CISO should report to CEO
http://www.computerworld.com/s/article/9249129/Target_top_security_officer_reporting_to_CIO_seen_as_a_mistake

Target CEO Resignation Due To Security Issues
http://www.csoonline.com/article/2151381/cyber-attacks-espionage/target-ceo-resignation-highlights-cost-of-security-blunders.html

Cards Sold on Black Market
http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/

Started with an Email attack against HVAC vendor
http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

Ward Off POS Attacks
http://www.retailgazette.co.uk/articles/32114-how-to-ward-off-pos-cyber-security-attacksd

Chip Cards to Prevent Credit Card Information Loss
http://www.northjersey.com/news/business/a-chip-on-the-old-card-1.1039445

Talent in Hacking, Not Security
http://wallstcheatsheet.com/technology/cyber-crime-why-is-all-the-talent-in-hacking-and-not-in-security.html/?a=viewall

EMV (Chip and Pin) credit cards alone cannot protect data

Car Washes had PC Anywhere installed on computers. End of life by Symantec, not used in years.
http://nakedsecurity.sophos.com/2014/06/25/carwash-pos-systems-hacked-credit-card-data-drained/

Tips for Protecting Point of Sale (POS) systems
http://www.lexology.com/library/detail.aspx?g=edac3d96-7d0a-4d70-87b1-966ba3fcc5c7

Small business & mobile POS
http://www.smallbusinesscomputing.com/biztools/small-business-mobile-point-of-sale-systems-the-pros-cons.html

Protecting POS systems
http://www.darkreading.com/attacks-breaches/tech-insight-defending-point-of-sale-systems/d/d-id/1141214?

Separate VLANs
http://www.darkreading.com/attacks-breaches/back-to-basics/d/d-id/1269436

VLANs vs Subnets
http://websitenotebook.blogspot.com/2014/06/vlans-vs-subnets.html?m=1

PCI is not enough, POS Malware kits, warnings and auditing software ignored or shut off
http://www.computing.co.uk/ctg/feature/2348267/too-open-for-business

FBI warns of more retail attacks
http://www.reuters.com/article/2014/01/23/us-target-databreach-fbi-idUSBREA0M1UF20140123

Hackers that wrote the malware
http://www.startribune.com/business/243125731.html#ZMDJ1wAuHohOSl87.97

Memory scraping malware
http://www.csoonline.com/article/2359441/data-protection/criminals-seeking-more-buyers-with-all-in-one-malware.html

http://www.darkreading.com/attacks-and-breaches/target-breach-8-facts-on-memory-scraping-malware/d/d-id/1113440

http://nakedsecurity.sophos.com/2013/07/16/a-look-at-point-of-sale-ram-scraper-malware-and-how-it-works/

http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

http://threatpost.com/ram-scraper-malware-a-threat-to-point-of-sale-systems

http://volatility-labs.blogspot.com/2014/01/comparing-dexter-and-blackpos-target.html

ICMP







http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883

More...


 

 

 

 

People

 

 

 

PCI Compliance


 

 

Target.com                                                                                                          

 

NEW CISO


 

Joined Financial Information Sharing Center

https://www.fsisac.com/

 

What has done to prevent


 

Waiting for a major problem before taking action:


 

Chip and Pin Solution


 

 


 

Attacks on key employees







 

VLANs vs Subnets


 

POS security:

 




 

Net diagram - hunch