networking

You are currently browsing the archive for the networking category.

48% of Swedes don’t want IPRED

March 17, 2009 in democracy, networking, pirate party by Daniel Nyström | No comments

A survey carried out by one of the most respected surveying institute in Sweden (SIFO) show that a majority of the population is opposed to the new IPRED legislation (Swedish).

Delta407 on Flickr - http://www.flickr.com/photos/delta407
Photo: Delta407 on Flickr. Edited by me. CC BY-SA.

On April 1st copyright owners will have the mandate to go to court and demand the name of a subscriber behind an IP-adress. If judging from earlier implementations, they will then send a mail (through normal post) demanding a specific sum threatening to start a civil lawsuit if their demands are not met.

The Swedish implementation, because of our previous civil lawsuit and IP legislation, also allows them to freeze all funds for their victims and do home searches with the aid of the Swedish Enforcement Authority (that usually comes by to evict people or confiscate stuff for unpaid bills).

Now when it has even been statistically proven that one out of two Swedes do not want this legislation, we’re still on the go ahead with the law. The Minister of Justice, Beatrice Ask, insists that the law is proportional and says that “Sometimes you have to take uncomfortable decisions as a politician”… OK? Sure… but you do not have to make decisions that the citizens do not want you to make! That’s the whole point of a democracy!

Her statements are now being hacked to pieces by the blogging community and the despise of politicians is on the rise again. People respect politicians and lawmakers less and less and this is not a good thing, and it needs to stop. If people have no respect for the lawmakers, they’ll lose respect for all laws in the long run. Unfortunately this process is all in the politicians hands and they are the only ones that can stop it, and that won’t happen.

Sweden runs the web, and we will not stop doing so just because unbalanced copyright legislators try to stop the technological evolution. We are however running a great risk at loosing the publics faith in the democratic system along the way, and no one wants to see that happen.

The total stats of the survey was:

32% Want to implement the IPRED1 directive in the way now done.
48% Does not want the IPRED1 implementation now made into law.
19% Have doubts or did not know how.

And at the same time as the established politicians are acting as tools for lobbyists, the amount of members of the Swedish Pirate Party keeps rising and we’re now closing in on 12500 members.

It is now 65 days until the EU-elections, vote Pirate!

Tags: , , ,

Q.P. – Why Sweden runs the web

March 11, 2009 in networking, personal by Daniel Nyström | No comments

Nice article in The Independent on “Why Sweden runs the web“:

“Technology must be in the Swedish genes; in 1900, Stockholm had more telephones than London or Berlin. When Crown Princess Victoria announced her engagement last week, she did so via a video on the royal website. The weekend’s biggest film opening was an adaptation of novelist Stieg Larsson’s thriller The Girl with the Dragon Tattoo. The heroine of the title is a young computer hacker with a flexible attitude to the law.

It’s easy to elicit sympathy for such a character when some two million Swedes use The Pirate Bay.”

It’s a long article, but worth reading:)

Note: Posts starting with Q.P. in the title are quickposts. No images just thoughts and reflections,

Tags: , , , , ,

Conficker worm growing…

January 9, 2009 in malware, networking, security by Daniel Nyström | 2 comments

Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. More info, read “About this blog”.
Pink Sherbet Photography on Flickr - http://flickr.com/photos/pinksherbet/
Photo: Pink Sherbet Photography on Flickr. CC Attribution.

Conficker, the network worm exploiting the MS08-067 vulnerability that I’ve mentioned previously, has continued to evolve and several new variants (.B/.C most prominent) has been discovered.

The impact this worm is making is becoming bigger, but here in Panda Sweden we haven’t drowned in work yet. The stories I’ve heard so far is the usual ones with users and consultants bringing infected units (or USB-sticks) into the network and then infecting unpatched machines that had previously been hiding behind the corporate firewall. So far it doesn’t seem too bad here though and I’m holding my thumbs that people learned to patch their machines back in 2004 ;)

That’s also all that it comes down to. Patching your machines. If you’re here looking for and easy solution to the mass infection in your network you’re probably too late. You should have thought about patching before you got infected. Not after. However, what you need to do now in order to resolve your situation is to:

- Patch your workstations and servers. Read MS Security Bulletin MS08-067. Patching can be done in a million ways. If you’re currently lacking a patching solution, look into Microsoft WSUS for a free (as in free beer, not freedom) solution. To identify unpatched or in other ways insecure systems, you can use the Microsoft Baseline Security Analyzer. This tool will also identify weak passwords, something that Conficker uses to spread in local networks.

- Disinfect the infected machines. Again, this can be done in several ways depending on your current situation and I would recommend contacting your anti-malware/anti-virus vendor for exact instructions. Some of us have specialized tools available for rapid deployment through scripts etc. so you don’t have change into your jogging shoes ;) A good start before you call is to make sure the machines actually have protection installed and updated though. If not, install it and make sure it’s updated. If you’re a single user you can clean your machine using online scanners such as ActiveScan 2.0. If using Panda Security solution you can find your local office here.

- Learn from your mistakes. Get a patch routine going and a monitoring system running. Make sure your anti-malware solution is up & working, and then implement a process to ensure that it’ll do so in the future as well.

Also keep in mind that Conficker, except the normal worm behaviour and what I’ve mentioned in previous posts, infects USB-sticks and other portable storage as well. It does this by placing malicious files on the media and auto-running them using the autorun and autoplay features when they’re connected to a computer.

More information: Panda Security 2, Panda Research, PC1News, Sophos, CA, Harry Waldron, F-Secure 2 3, MS Malware Protection Center, RegistryCleanerz.

Tags: , , , ,

Market liberals of Sweden, saving dying business models.

December 8, 2008 in networking, personal by Daniel Nyström | No comments

Swanksalot on Flickr - http://flickr.com/photos/swanksalot/1621179/
Photo: swanksalot on Flickr. Original here.

For those that doesn’t know, the idea of market liberalism is that no market shall not be regulated and companies shall grow, shrink or fail, depending on the demands of their products.

The market liberals in the Swedish Government has now decided not to follow their own ideology and to limit the availability of free (as in freedom) culture and media through regulation. Their outspoken goal is to, by doing this, save the recording industry from going under in this new and networked world as they have been unable to adapt during the previous 10 years.

They have also decided to give away policing powers to these companies and their lobbying organizations, not only limited to filing suits. They’re also allowed to do raids on citizens homes and freeze bank accounts, with the help of the Swedish Enforcement Agency.

This is not a joke and it is not an overstatement.

So what they’re basically saying is that they do not give a rats as about what the voting public want them to do, that is to realize liberal markets, and also they do not care if twelve year old’s gets their parents houses raided by downloading Britney’s latest hit.

There goes the meaning of “due process”.

So, what can one do to protect himself from the government and the media companies?

First of, you might want to join some group that fights to limit this madness. Second, you should send e-mails, call or send regular mail to your political representatives explaining your views on the new digital world. If they do not know how many people want them to stop acting like idiots, they’ll never do.

Also, start scrutinizing your media consumption and do not pay the industry that limits you freedom. It’s very important to understand that without money, these companies don’t have any power to push any other idiotic legislation through our politicians. Use RIAA RADAR as a start, but do your research and you are recommended to actually call the record labels and ask what their stance on IPRED (for example) is. Do not pay to get your liberties shattered!

After doing this, first thing to do is to open your network, and get a shared or insecure wireless setup. You should set that up in a nice way, so that you do not expose your internal computers to any others connecting from the outside. Consider using WEP as encryption, as that isn’t hard to break but will keep most people away. You should do this to be able to question if any packets to or from your network is actually “yours”. Offering an open network is also in general a nice thing to do for you fellow man.

The next step is to encrypt all data. Not only the operating system partitions, but all disks in your computer. For both Windows and Linux this can be done in a secure way using TrueCrypt which is also free. The only downside to doing this is that you’ll have to enter your password(s) everytime you start the computer. The performance impact is not that hard and I use it on my gaming computer without any negative impact. Remember to use a long (preferably over 30 characters) passphrase. Use a sentence from a book for example.

Start encrypting your network traffic and hide your real IP-address when consuming “pirated” or remixed media. There are several services that can offer you this service today, and I’m not sure which one is the best. Some of the ones that seem the most serious are Relakks (PPTP tunnels) and PRQ (plain tunneling or IPSEC tunneling, swedish site). There are also services such as TorrentPrivacy, but I do not know who’s behind it or if you can trust their applications.

It feels kind of sick writing a guide on how you can protect yourself from the people that are supposed to protect you, but I can live with it. I’ve thought about doing this before, but never wanted to as I would also be teaching some potentially bad guys how to stay hidden. But when I’m backed into a corner I’m the kind of person that fights, not the kind that lies down and waits to get beaten. Soon enough we’ll be in this reality and then it’ll be too late.

Tags: , , ,

Handling large scale worm infections

December 3, 2008 in malware, networking, security, work by Daniel Nyström | 1 comment

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. Read “About this blog”.
Lock in the grass... yup.

We’re seeing a quite large increase in Conficker.A infections (exploiting MS08-067) in Sweden right now, and computers not sufficiently patched or secured is causing a mess.

So far, most corporate network infections are making more noise than damage as people seem to have become better at patching since 2003-2004. What is causing alarm is our protections blocking the network attack proactively when it’s delivered from an infected machine or on computers without TruPrevent, when we nail it with the signature.

Anyways, I feel like being a bit proactive and recite some of the simpler lessons from 2003 in the new light of this little worm as it feels in my gut like we’re going to get taken for a ride.

What do you do once your switches start looking like Christmas trees, all lit up and warm? Well, there’s no one single recipe and there will most certainly be a twist to your specific situation. There is however some basic things you can do, and you can start by asking yourself;

Are your machines patched?
  a) I do not know
  b) Yes they are
  c) No they are not

If A, use Microsoft Baseline Security Analyzer to get a picture of the current situation. This tool can be set up on any modern windows system and should be run using domain admin credentials in order to gain total visibility. This tool will also display a lot of other crucial security information (password complexity, security policies etc. etc.).

If B, Haha, Yeah right… ;) But if you’re confident about it you can at least be calmed by the fact that you are probably exposing less attack surface internally to the worm. You will however have some clients that is not patched or incorrectly patched and if they’re not infected yet they’ll be in a short while.

If C, you should start finding out how you can easiest distribute the fix. If you’re running a smaller shop you might even have greater success doing the good ‘ol leggie around the office, but if you have a couple of hundreds or thousand clients you need to set up a deployment plan now. Possible deployment methods might everything from SMS, System center, Zenworks (Novell), Logonscripts with silent patch install, WSUS set-up and group policy configuration. It really doesn’t matter which technology you’ll use, it just needs to be done “yesterday”.

Do you know what machines are infected at this time?
  a) Yes.
  b) Nope, or some, but I’m guessing there’s more.

If A, set them straight. That is install the patch, install your protection, update that protection and make sure it’s as “clean” as it can be. Then move to B.

If B, install Wireshark on a patched computer (or why not use Linux?) and sniff the network for 15-30 minutes. This does not have to be done in promiscuous mode or using some kind of special networking equipment, as all that we want to see are computers trying to exploit/infect the computer that you are sniffing on. After stopping the traffic gathering you will have a lot of packets to analyze and what you’re looking for are SMB packet’s that look something like this:

Image by Don Jackson from SecureWorks via ThreatExpert blog.
Thanks Don Jackson from SecureWorks via the ThreatExpert blog.

The key here is identifying SMB packets that contain references to the NetPathCanonicalize function and to do this you should be able to use a filter expression like this in Wireshark (not tested atm so no guarantees):

smb.service contains "NetPathCanonicalize"

Note the source IP for all lines matching the above expression and try to identify the physical machine behind that. Usually it helps to identify the user first and to do that just click “Start menu“->”Run“, write “\\OFFENDING_IP_NUMBER\c$” and press OK. When you get the mapping up, go into “Documents and settings” and sort the listing by modification date and you’ll see what user last used the computer.

Of course, just having an updated inventory of all machines and their MAC-adresses before this happens is a bit easier. Doesn’t happen too often that this is available though.

After the machines has been identified you are to patch them, protect them and finally to update the protection. If you suspect that your protection doesn’t work like it should or that the infection itself persists and doesn’t get cleaned you should contact your AV-vendor as soon as possible so that they can collect the sample.

The approach mentioned above is not valid if you’re having more than 50 machines infected. If you are in that situation the following statements are probably true: You have a large network, The machines are not updated, not protected and if protected it’s with old software and/or definitions. This means that you’re going to have greater trouble than most resolving this situation and I’d suggest a more generic approach as a start.

1. Deploy the one patch needed (NOT ALL, that takes too long) through the software distribution tool of choice, logonscripts or whatever suits you in order to prevent re-infections after cleansing.
2. If available, deploy cleansing tool or script in the same way shortly after. Contact your vendor for more information, help and suggestions.
3. Deploy Anti-Malware protection using the same method that you used to deploy the patch above and make sure that all protections are turned on and updated.

These steps might be hard to follow during an ongoing infection, and if you are having trouble call your AV-vendor! We have more experience with this and will probably be able to see things that you overlooked.

After you’ve done these basic things you can move on to the manual methodology above in order to find any computers still infected.

And finally some suggestions on what you can do now to ease the burden if (when) you get hit:

* Secure your systems, not just patches but security policies, user- permissions , local administrator rights and so on. For inspiration, take a look at Microsoft’s SSLF policies. Just make sure to remember what LF in SSLF means while doing so.
* Install and manage your anti-malware and security solutions. Make sure that they are in the latest versions and that signature files/databases/ips filters are updated as they should.
* Strenghten your IT-policy in regards to connection of external units to the network. This won’t prevent much but it’s worth a shot. If you want to enforce directive’s such as these, take a look at Panda NetworkSecure, Cisco NAC or Microsoft NAP.

That’s all ;)

If you need any help with anything, drop me a line and I’ll get back to you as soon as possible.

Cheerios,

Tags: , , , , , , ,

Wonderful networking cheat sheets…

November 20, 2008 in networking, personal, work by Daniel Nyström | No comments

Wireshark filters cheat sheet - Packetlife.net

… from Packetlife.net. Covering everything from BGP to Physical Terminations.

From the site:

“Cheat sheets are in PDF format. You are welcome to use and redistribute them as you please, so long as they remain intact and unmodified.”

That’s the spirit! The tcpdump & Wireshark ones are going on the wall now ;)

Tags: , ,

“The web will own every bit”

November 15, 2008 in networking, personal by Daniel Nyström | No comments

This speech nails the core of the problem with laws and regulations such as IPRED1/2:

What politicians seem to miss (every time) is that progress is driven by innovation. All evolution of the internet as we know it has been driven by information sharing, and this is getting more evident.

The whole term “The Cloud” proves this fact. This new hype which everyone tries to fit their life or product into really is nothing else than simple sharing between large groups of users.

In the future we will see media, music and art turn more prominent on the Internet than IRL. The companies that stick to old business and distribution models will be left behind and those trying to keep up will prosper. This is not something aggressive, it’s just a fact. No legislation in the world will change this, but it might slow it down.

“The web will own every bit”

What we are now calling the cloud is constantly, and at an increasing speed, growing and becoming more capable and integrated into our lives. Today I’m happy that I can stay connected and share my experiences while traveling in the middle of nowhere, tomorrow I will feel extremely secluded if I cannot do the same thing.

In my opinion, what should be further researched is;

How can we enable people to share more freely?

This is a much bigger and more important question than “How can we restrict people from sharing”, as people will always do that anyway.

Tags: , , , , , ,

It’s raining in Sweden…

November 11, 2008 in networking, personal by Daniel Nyström | No comments

It's raining in Sweden

… and the sky is ultra-gray. Not very fun ;/

On the other hand some things are shaping up. As I mentioned previously, my 3G USB-stick is proving to be very competent and useful. Even works in a stone cellar below ground with just one Window (Café Gråmunken, Old town, Stockholm) ;)

The best thing about the stick is that it works out of the box on my Aspire One, as it is detected as “Option 3G”. That is, the unit’s networking software detects it as the 3G option that will be shipped with newer Aspire models. Very nice indeed.

For those interested, this is how it looks:

Qualcomm USB Stick

My provider is Bredbandsbolaget (Telenor), and the make & model of the stick is Qualcomm 3G CDMA GI0225.

Cheers,

Tags: , , ,

Q.P. – Foreign investors buys Swedish ISP PRQ

October 29, 2008 in misc, networking by Daniel Nyström | No comments

From PRQ.SE:

Till alla kunder!

PRQs verksamhet har nu avyttrats till en grupp utländska investerare. Verksamheten kommer fortsätta precis som tidigare men den dagliga driften kommer ej hanteras av samma personer förutom under en övergångsperiod. Den största skillnaden kommer vara att företaget nu har betydligt bättre resurser. Mer information följer inom kort. Har du några frågor så är du väkommen att kontakta oss.”

In english (my translation):

To all customers!

PRQ’s operations has now been sold to a group of foreign investors. The business will continue as usual but the daily operations will not be handled by the same people except for a limited period during the transition. The biggest change will be that the company now has much better resources. More information will follow shortly. If you have any questions you are welcome to contact us.”

What is special about this then? PRQ AB is owned (and up until now operated) by the same guys that run The Pirate Bay and hosts some of the worlds most attacked and controversial sites.

Some of the organizations that utilize their services are Wikileaks, The Piracy Bureau, and Kavkaz Center.

More news later on, as their website says.

UPDATE: Previous swedish blog entries on this: Free and thinking, Fajaf. Regular media articles: ComputerSweden

Tags: , , , ,

Australia VS. The Internet

October 28, 2008 in censorship, democracy, networking by Daniel Nyström | No comments

Australia
Photo: mugley on Flickr.

For those that doesn’t know this already, Australia is one of the countries that are actively filtering and censoring the internet. They are doing this to “protect” their citizens from the big bad wolves that reside in the internet tubes without giving their citizens liberty even a second glance.

Read this on the Australian security firm Sûnnet Beskerming’s blog:

“In the lead up to last year’s national election in Australia there were a range of promises made by the incumbent government, under the name NetAlert, which was reported to be for a range of projects including Internet blocking software at the user end, tracking down online predators, and filtering of traffic on the network.

It seems that the new government has now taken the proposals one step further, moving to enforce the legislation that they pushed through at the start of this year. At the time of the NetAlert announcements, the opposition (now the government) were seen to be tacitly approving of the initial presentation and the Labor party had previously been ridiculed over their approaches to, and ideas of, online censorship.

Although the Federal Government has promised to listen to “the best advice”, it seems that they are only listening to the advice that validates and otherwise affirms their approach to online censorship.”

[...]

“There can be no other way to put it other than to suggest that these efforts are being pushed through out of an ignorance of the structure and nature of the Internet, even when accurate information is readily available.”

It’s really frightening to see how fast things can go bad. So far we have not seen this kind of lunacy here in Sweden but it feels like we’re getting there.

The internet’s content is not to be controlled by any unique institution or governing organization, as the whole idea of it is then lost. The Internet is a place that should be a free, unbiased, space for information of all kinds from all sources. Sure some will be hostile, but this is not a reason to filter it.

Doesn’t the Australian politicians relate what they’re doing to what dictatorships are doing? Can’t they see that they’re heading down a very dangerous path by restricting free speech? Besides this being a anti-democratic thing, remember that a society that closes on itself and censors it’s citizens never can evolve at the same speed as the world surrounding them, and therefor the country will suffer both economically and culturally.

The Internet was born free and should remain that way. If we can’t do that, then the whole idea behind it is dead and it’s time to form a new network.

Are you with me?

Tags: , , ,

« Older entries