Posts Tagged 'Security'

December 23, 2011

Back up Your Life: In the Clouds, On the Go

The value of our cloud options here at SoftLayer have never been more noticeable than during the holiday seasons. Such a hectic time of the year can cause a lot of stress ... Stress that can lead to human error on some of your most important projects, data and memories. Such a loss could result in weeks or even years of valuable time and memories gone.

In the past few months, I've gone through two major data-related incidents that I was prepared for, and I can't imagine what I would have done if I didn't have some kind of backups in place. In one instance, my backups were not very current, so I ended up losing two weeks worth of work and data, but every now and then, you hear horror stories of people losing (or having to pay a lot to restore) all of their data. The saddest part about the data loss is that it's so easily preventable these days with prevalent backup storage platforms. For example, SoftLayer's CloudLayer Storage is a reliable, inexpensive place to keep all of your valuable data so you're not up a creek if you corrupt/lose your local versions somehow (like dropping a camera, issuing an incorrect syntax command or simply putting a thumb-drive though the washer).

That last "theoretical" example was in fact was one of the "incidents" I dealt with recently. A very important USB thumb-drive that I keep with me at all times was lost to the evil water machine! Because the security of the data was very important to me, I made sure to keep the drive encrypted in case of loss or theft, but the frequency of my backup schedule was the crack in my otherwise well thought data security and redundancy plan. A thumb drive is probably one of the best examples of items that need an automatic system or ritual to ensure data concurrency. This is a device we carry on us at all times, so it sees many changes in data. If this data is not properly updated in a central (secure and redundant) location, then all of our other efforts to take care of that data are wasted.

My the problem with my "Angel" (the name of the now-washed USB drive) was related to concurrency rather than security, and looking back at my mistake, I see how "The Cloud" would have served as a platform to better improve the way I was protecting my data with both of those point in mind. And that's why my new backups-in-the-cloud practices let me sleep a little more soundly these days.

If you're venturing out to fight the crowds of last-minute holiday shoppers or if you're just enjoying the sights and sounds of the season, be sure your memories and keepsake digital property are part of a well designed SRCD (secure, redundant and concurrent data) structure. Here are a few best practices to keep in mind when setting up your system:

  • Create a frequent back-up schedule
  • Use at least two physically separate devices
  • Follow your back-up schedule strictly
  • Automate everything you can for when you forget to execute on the previous bullet*

*I've used a few different programs (both proprietary and non-proprietary) that allow an automatic back-up to be performed when you plug your "on the go" device into your computer.

I'll keep an eye out for iPhone, Android and Blackberry apps that will allow for automatic transfers to a central location, and I'll put together a fresh blog with some ideas when I find anything interesting and worth your attention.

Have a happy Holidays!

- Jonathan

December 1, 2011

UNIX Sysadmin Boot Camp: Permissions

I hope you brought your sweat band ... Today's Boot Camp workout is going to be pretty intense. We're focusing on our permissions muscles. Permissions in a UNIX environment cause a lot of customer issues ... While everyone understands the value of secure systems and limited access, any time an "access denied" message pops up, the most common knee-jerk reaction is to enable full access to one's files (chmod 777, as I'll explain later). This is a BAD IDEA. Open permissions are a hacker's dream come true. An open permission setting might have been a temporary measure, but more often than not, the permissions are left in place, and the files remain vulnerable.

To better understand how to use permissions, let's take a step back and get a quick refresher on key components.

You'll need to remember the three permission types:

r w x: r = read; w = write; x = execute

And the three types of access they can be applied to:

u g o: u = user; g = group; o = other

Permissions are usually displayed in one of two ways – either with letters (rwxrwxrwx) or numbers (777). When the permissions are declared with letters, you should look at it as three sets of three characters. The first set applies to the user, the second applies to the group, and the third applies to other (everyone else). If a file is readable only by the user and cannot be written to or executed by anyone, its permission level would be r--------. If it could be read by anyone but could only be writeable by the user and the group, its permission level would be rw-rw-r--.

The numeric form of chmod uses bits to represent permission levels. Read access is marked by 4 bits, write is 2, and execute is 1. When you want a file to have read and write access, you just add the permission bits: 4 + 2 = 6. When you want a file to have read, write and execute access, you'll have 4 + 2 + 1, or 7. You'd then apply that numerical permission to a file in the same order as above: user, group, other. If we used the example from the last sentence in the previous paragraph, a file that could be read by anyone, but could only be writeable by the user and the group, would have a numeric permission level of 664 (user: 6, group: 6, other: 4).

Now the "chmod 777" I referenced above should make a little more sense: All users are given all permissions (4 + 2 + 1 = 7).

Applying Permissions

Understanding these components, applying permissions is pretty straightforward with the use of the chmod command. If you want a user (u) to write and execute a file (wx) but not read it (r), you'd use something like this:

chmod Output

In the above terminal image, I added the -v parameter to make it "verbose," so it displays the related output or results of the command. The permissions set by the command are shown by the number 0300 and the series (-wx------). Nobody but the user can write or execute this file, and as of now, the user can't even read the file. If you were curious about the leading 0 in "0300," it simply means that you're viewing an octal output, so for our purposes, it can be ignored entirely.

In that command, we're removing the read permission from the user (hence the minus sign between u and r), and we're giving the user write and execute permissions with the plus sign between u and wx. Want to alter the group or other permissions as well? It works exactly the same way: g+,g-,o+,o- ... Getting the idea? chmod permissions can be set with the letter-based commands (u+r,u-w) or with their numeric equivalents (eg. 400 or 644), whichever floats your boat.

A Quick Numeric chmod Reference

chmod 777 | Gives specified file read, write and execute permissions (rwx) to ALL users
chmod 666 | Allows for read and write privileges (rw) to ALL users
chmod 555 | Gives read and execute permissions (rx) to ALL users
chmod 444 | Gives read permissions (r) to ALL users
chmod 333 | Gives write and execute permissions (wx) to ALL users
chmod 222 | Gives write privileges (w) to ALL users
chmod 111 | Gives execute privileges (x) to ALL users
chmod 000 | Last but not least, gives permissions to NO ONE (Careful!)

Get a List of File Permissions

To see what your current file permissions are in a given directory, execute the ls –l command. This returns a list of the current directory including the permissions, the group it's in, the size and the last date the file was modified. The output of ls –l looks like this:

ls -l Output

On the left side of that image, you'll see the permissions in the rwx format. When the permission begins with the "d" character, it means that object is a directory. When the permission starts with a dash (-), it is a file.

Practice Deciphering Permissions

Let's look at a few examples and work backward to apply what we've learned:

  • Example 1: -rw-------
  • Example 2: drwxr-x---
  • Example 3: -rwxr-xr-x

In Example 1, the file is not a directory, the user that owns this particular object has read and write permissions, and when the group and other fields are filled with dashes, we know that their permissions are set to 0, so they have no access. In this case, only the user who owns this object can do anything with it. We'll cover "ownership" in a future blog, but if you're antsy to learn right now, you can turn to the all-knowing Google.

In Example 2, the permissions are set on a directory. The user has read, write and execute permissions, the group has read and execute permissions, and anything/anyone besides user or group is restricted from access.

For Example 3, put yourself to the test. What access is represented by "-rwxr-xr-x"? The answer is included at the bottom of this post.

Wrapping It Up

How was that for a crash course in Unix environment permissions? Of course there's more to it, but this will at least make you think about what kind of access you're granting to your files. Armed with this knowledge, you can create the most secure server environment.

Here are a few useful links you may want to peruse at your own convenience to learn more:

Linuxforums.org
Zzee.com
Comptechdoc.org
Permissions Calculator

Did I miss anything? Did I make a blatantly ridiculous mistake? Did I use "their" when I should have used "they're"??!!... Let me know about it. Leave a comment if you've got anything to add, suggest, subtract, quantize, theorize, ponderize, etc. Think your useful links are better than my useful links? Throw those at me too, and we'll toss 'em up here.

Are you still feeling the burn from your Sysadmin Boot Camp workout? Don't forget to keep getting reps in bash, logs, SSH, passwords and user management!

- Ryan

Example 3 Answer

September 27, 2011

The Challenges of Cloud Security Below 10,000 Feet

This guest blog was contributed by Wendy Nather, Research Director, Enterprise Security Practice at The 451 Group. Her post comes on the heels of the highly anticipated launch of StillSecure's Cloud SMS, and it provides some great context for the importance of security in the cloud. For more information about Cloud SMS, visit www.stillsecure.com and follow the latest updates on StillSecure's blog, The Security Samurai.

If you're a large enterprise, you're in pretty good shape for the cloud: you know what kind of security you want and need, you have security staff who can validate what you're getting from the provider, and you can hold up your end of the deal – since it takes both customer and provider working together to build a complete security program. Most of the security providers out there are building for you, because that's where the money is; and they're eager to work on scaling up to meet the requirements for your big business. If you want custom security clauses in a contract, chances are, you'll get them.

But at the other end of the scale there are the cloud customers I refer to as being "below the security poverty line." These are the small shops (like your doctor's medical practice) that may not have an IT staff at all. These small businesses tend to be very dependent on third party providers, and when it comes to security, they have no way to know what they need. Do they really need DLP, a web application firewall, single sign-on, log management, and all the premium security bells and whistles? Even if you gave them a free appliance or a dedicated firewall VM, they wouldn't know what to do with it or have anyone to run it.

And when a small business has only a couple of servers in a decommissioned restroom*, the provider may be able to move them to their cloud, but it may not be able to scale a security solution down far enough to make it simple to run and cost-effective for either side. This is the great challenge today: to make cloud security both effective and affordable, both above and below 10,000 feet, no matter whether you're flying a jumbo airliner or a Cessna.

-Wendy Nather, The 451 Group

*True story. I had to run some there.

September 1, 2011

The Importance of Network Security

On Friday, April 27, 2011, I powered on my Sony Playstaton 3 and prepared to sit down for an enjoyable gaming session. As a Sony customer and a PlayStation Network (PSN) user, I expected my system to be able to connect to a service that I was told would be available. Because I had to sign an agreement to join the PSN, I expected my personal information to be secure. On that morning, I logged in and had no idea that my personal security might be at risk due to a lack of tight-knit practices and possible information redundancy.

My many years of brand loyalty held strong as I was told constantly that the PSN was down as a result of a maintenance. I understand that emergencies happen and proper planning by a professional company is in place to shorten the duration of impact. As it turned out, proper planning for this type of event seemed to have been lost on Sony. A malicious security cracker was able to infiltrate their network to gain access to numerous PSN customers' sensitive personal information. This kind of blunder had every PSN customer wondering what could be done to prevent this kind of event from happening again.

You probably noticed that I used the word "cracker" as opposed to the more common "hacker." A hacker is an extremely knowledgeable person when it comes to computers and programming who knows the ins and outs of systems ... which is completely legal. The typical misconception is that all "hackers" are engaged in illegal activity, which is not true. If the hacker decides to use these skills to circumvent security for the purpose of stealing, altering and damaging (which is obviously illegal), then the hacker becomes a cracker. To put it simply: All crackers are hackers, but not all hackers are crackers.

When I started working at SoftLayer three years ago, I was told to pay very close attention to our company's security policy. Each employee is reminded of this policy very regularly. Proper security practice is essential when dealing with private customer data, and with the advancement of technology comes the availability of even more advanced tools for cracking. As a trusted technology partner, it is our obligation to maintain the highest levels of security.

There is not a day at work that I am not reminded of this, and I completely understand why. Even at a personal level, I can imagine the detrimental consequences of having my information stolen, so multiply that by thousands of customers, and it's clear that good security practices are absolutely necessary. SoftLayer recognizes what is at stake when businesses trust us with their information, and that's one of the big reasons I'm to work here. I've gone through the hassle and stress of having to cancel credit cards due to another company's negligence, and as a result, I'm joining my team in making sure none of our customers have to go through the same thing.

-Jonathan

May 31, 2011

Bringing Home Data Center Security

Look at any time period in mankind's history, and you'll come to the undeniable conclusion that technology changes the daily lives people in any society. With the evolution of technology, our lives have gotten so much easier. Consider all the little luxuries and conveniences available now to get tasks done in the workplace and home. Unfortunately, our rapid technological advancements aren't necessarily exclusive to the "good guys" ... The "bad guys" are benefiting from new technologies as well. Crime and theft have become more sophisticated, and as a result, more technological advancement has to be pursued in security, and it's pretty remarkable to see some of the security measures and technologies put in place by companies like SoftLayer.

The day I started working here, I thought I was actually joining the CIA. I had to undergo several procedures to gain access to all the facilities: I had my photo taken and my fingerprints scanned before I registered for multiple key cards. The first job I had out of college only required its employees to have a single key card that allowed entrance through one door with access to all areas. Needless to say, it was a lot different to work in such a secure environment.

To give you an idea of what kinds of security we have at our data center, I'll walk you through my daily experience. I step into our lobby and am usually greeted by multiple security guards behind what appears to be bullet-proof glass. I have to pass a fingerprint scanner and numerous secured door checkpoints to get into the office. Every move is under the scrutiny of video cameras recording every square inch of the building. Big Brother is always watching, and for SoftLayer customers, that should be reassuring.

The facility's security reminds me of the movie Minority Report, and while those security measures may seem unnecessary or excessive, they're actually just visible evidence of SoftLayer's focus on the importance of security both online and in the physical realm.

Thinking about safety, I've also started considering heightening security at my home with a few security cameras. Some of my friends joke that this consideration is a sign of impending paranoia, but the "better safe than sorry" mantra should always be kept close to heart when it comes to protecting valuables. Apparently, I'm not alone in my home security research ... A day after writing a good portion of this article, I came to work and in the morning a coworker told me he'd recently bought a security camera with night vision for personal use. I didn't expect such a coincidence, and of course I enthusiastically replied to my coworker that I was thinking about making a similar purchase.

In closing, I'd like to ask you if you've entertained the idea of increasing security in your own home, and if so, do you have any suggestions about what equipment to purchase and features that prove useful? I doubt I'll go as far as hiring security guards and installing fingerprint scanners, but you never know!

-Danny

March 1, 2011

API Basics: REST API - "Hello World"

Learning SoftLayer's API
When I first started to look at SoftLayer's API, I favored the SOAP programming interface because I liked the strictly formatted XML responses, the good separation of concerns (using the server as proxy for data retrieval) and the increased security. All of these are great reasons to use the SOAP interface, but once I saw how easy and direct the REST interface is, I decided that I would use it as my cornerstone for learning the SoftLayer API.

REST API
Although the REST software archetype is a difficult concept to explain, its practice has become natural to those of us who use the internet daily. Imagine that the information that you want to know is saved as a web page somewhere and all you have to do is type in the URL, it will prompt you for a username and password, and you will see the information that you requested.

Authentication
Before making a request you will need to find your API authentication token. To do this, log into your customer account and click API under the Support tab. Click the "Manage API Access" link. At the bottom of the next page you will see a drop-down menu that says "Select a User" and above it a tag that says "Generate a new API access key." Select a user and click the "Generate API Key" button. You will see your username and the generated API key for that user. Copy this API key, as you'll need it to send commands SoftLayer's API.

"Hello World"
Unfortunately, there is no specific "Hello World" command in SoftLayer's API, but there are some commands that are very simple and don't require any variables, like the getObject() method. APIs are like component libraries, split into web services and methods of that service. The SLDN has a full list of SoftLayer's web services to choose from. I am going to use the getObject() method from the SoftLayer_Account service in this example:

https://api.softlayer.com/rest/v3/SoftLayer_Account.xml

  • You will be prompted for your username and API access key
  • XML data type output

https://USERNAME:PASSWORD@api.softlayer.com/rest/v3/SoftLayer_Account.json

  • Automatic authentication
  • JSON data type output

The Request
Here is the basic REST request structure:

<code>https://<u><em>username</em></u>:<u><em>API key</em></u>@api.service.softlayer.com/rest/v3/<u><em>serviceName</em></u>/<u><em>InitializationParameter</em></u>.<u><em>returnDatatype</em></u></code>
  • All requests are sent via secure transfer (https://)
  • Listing your username and API key before the URL allows for automatic HTTP authentication
  • Service and serviceName both refer to the web service you are trying to access
  • InitializationParameter is only used if the method you are calling requires an initialization Parameter
  • SoftLayer's REST API can respond with either JSON or XML data types; replace returnDatatype with the type you would like to receive.

The Data
Looking at the first link above, your browser should be able to output the response data in XML format, showing information about your account. More information about the format of the data can be found on the SLDN wiki.

REST Basics
When you start integrating this into a website you will want to get/make a function or library to handle advanced requests and to properly receive and disperse the response; I recommend using JQuery. This is the most basic example of a function call for SoftLayer's API, I hope that it will help you get a feel for the information that you will need to pass to our server and the kind of response that you will receive.

-Kevin

February 17, 2011

API Basics: REST

What is REST?
"Representational State Transfer," or REST, is a style of software architecture designed to relate different types of hypermedia to each other for distribution. The basic concept of REST is that a client application can request information from a server in the form of a representation of a resource without actually downloading an entirely new resource. This is how the World Wide Web works.

The World Wide Web
A browser is a client side application which requests information from a server; the server then accepts the request and transfers data back to the browser. The data transferred is not an application; it simply gives instructions to the client-side application (the browser), which then uses those instructions to properly display some information. Downloading information from a server changes the application state of the browser. The result of that change in state is a new website, which is therefore named the new state, so when new websites are downloaded by a browser, it is transferring representational data for a new application state.

How does REST relate to SoftLayer's API?
SoftLayer's API has many different avenues for implementation; one of these avenues is simple data transfer using the GET method in HTTP. Hyperlinks are one of the most basic examples of REST in action. When the user clicks on the hyperlink it requests information from the server and responds by transferring back representational data, in this case the data is expressed as either XML or JSON.

What are the disadvantages of using a REST API?
REST requests must contain all information, including authentication, within the URL. This can lead to security threats somewhere down the line. Luckily, SoftLayer allows you to add any number of users to your account, and then restrict their access to specific servers/services. This way your customers can utilize SoftLayer's API without a security risk to you or each other. They can even create their own users and further restrict access.

What are the advantages of using SoftLayer's REST API?
Direct client to server communication is the biggest advantage of using REST. The other protocols that SoftLayer uses to communicate data to the API require server-side scripting; this means that you will have to program your websites to use the host server as a proxy for calling SoftLayer functions. With REST you can directly link to the information that you want to display, using XLST or JavaScript to display it. You can also use AJAX with JSONP or script injection to dynamically update your webpage.

REST
The REST archetype is the most natural API for HTTP. This sets it above others in that there are no secondary programs needed to interact with HTTP (like SOAP), which means less computing time and better performance. REST APIs also don't need to use a proxy server for remote procedure calls. This decreases server load and bandwidth usage and further increases website performance. SoftLayer's REST API is easy to implement, and with SoftLayer's tiered user system its security flaws can be eliminated. This is why I prefer SoftLayer's REST API over the others.

Basic REST function calls are detailed in the SoftLayer Development Network (SLDN) here.

-Kevin

February 15, 2011

Five Ways to Use Your VPN

One of the many perks of being a SoftLayer customer is having access to your own private network. Perhaps you started out with a server in Dallas, later expanded to Seattle, and are now considering a new box in Washington, D.C. for complete geographic diversity. No matter the distance or how many servers you have, the private network bridges the gaps between you, your servers, and SoftLayer's internal services by bringing all of these components together into a secure, integrated environment that can be accessed as conveniently as if you were sitting right in the data center.

As if our cutting-edge management portal and API weren't enough, SoftLayer offers complimentary VPN access to the private network. This often-underestimated feature allows you to integrate your SoftLayer private network into your personal or corporate LAN, making it possible to access your servers with the same security and flexibility that a local network can offer.

Let's look at a few of the many ways you can take advantage of your VPN connection:

1. Unmetered Bandwidth

Unlike the public network that connects your servers to the outside world, the traffic on your private network is unlimited. This allows you to transfer as much data as you wish from one server to another, as well as between your servers and SoftLayer's backup and network storage devices – all for free.

When you use the VPN service to tap into the private network from your home or office, you can download and upload as much data as you want without having to worry about incurring additional charges.

2. Secure Data Transfer

Because your VPN connection is encrypted, all traffic between you and your private network is automatically secure — even when transferring data over unencrypted protocols like FTP.

3. Protect Sensitive Services

Even with strong passwords, leaving your databases and remote access services exposed to the outside world is asking for trouble. With SoftLayer, you don't have to take these risks. Simply configure sensitive services to only listen for connections from your private network, and use your secure VPN to access them.

If you run Linux or BSD, securing your SSH daemon is as easy as adding the line ListenAddress a.b.c.d to your /etc/ssh/sshd_config file (replace a.b.c.d with the IP address assigned to your private network interface)

4. Lock Down Your Server in Case of Emergency

In the unfortunate event of a security breach or major software bug, SoftLayer allows you to virtually "pull the plug" on your server, effectively cutting off all communication with the outside world.

The difference with the competition? Because you have a private network, you can still access your server over the VPN to work on the problem – all with the peace of mind that your server is completely off-limits until you're ready to bring it back online.

5. Remote Management

SoftLayer's dedicated servers sport a neat IP management interface (IPMI) which takes remote management to a whole new level. From reboots to power supply control to serial console and keyboard-video-mouse (KVM) access, you can do anything yourself.

Using tools like SuperMicro's IPMIView, you can connect to your server's management interface over the VPN to perform a multitude of low-level management tasks, even when your server is otherwise unreachable. Has your server shut itself off? You can power it back on. Frozen system? Reboot from anywhere in the world. Major crash? Feeling adventurous? Mount a CD-ROM image and use the KVM interface to install a new operating system yourself.

This list is just the beginning. Once you've gotten a taste of the infinite possibilities that come with having out-of-band access to your hosted environment, you'll never want to go back.

Now, go have some fun!

-Nick

January 11, 2011

Jurassic Park, Uptime, And You!

Some of you may remember in the movie Jurassic Park where the park founder's granddaughter Lex, played by Ariana Richards, sits down at a computer terminal, gasps, and says "This is Unix. I know this!" That particular film moment has always resonated with me as a victory for realistic depiction of computer systems - the interface used in the movie is called fsn and was an actual Unix file manager - in an industry rife with horrific exaggerations; Swordfish, anyone? I'm sure there's an unwritten story as to how she (or her brother if you follow the book) gained her skills at a computer system that in 1993 was almost exclusively relegated to universities. However, I digress.

Shortly before that scene was another scene and catchphrase that should resound with familiarity to system administrators around the world. In the face of marauding dinosaurs and computer sabotage, the character John Arnold, played by Samuel L. Jackson, must sacrifice what I'm sure was an absurd amount of uptime by killing the power and rebooting the mainframe. Would the system come back up? Would everything load up as needed to get the park's systems back online? John's mantra was simple: "Hold on to your butts!"

Every day as a Systems Administrator I'm faced with a comparable (though far less exhilarating) situation. Linux is an extremely stable operating system, and I have logged into systems that have been online for quite literally years. Eventually, though, kernel updates or stray mounts necessitate a reboot. Will the server's filesystems need a check on reboot? Will the server even come back up? When a server's been online for that long, the only way to know is to "throw the switch" and cross your fingers.

One way to have a better idea of how your system will behave during reboots in a production environment is to take the time to update your kernel once a month or so and perform a reboot to make sure the update sticks. This allows routine file system checks to take place as necessary and keeps your system abreast of the latest kernel updates. It also familiarizes you with how long the process takes, what sort of caveats you may run into, and reduces the overall surface area of your server to outside attackers.

In the last year, I have seen at least two exploits that can give an attacker root access to a server running an outdated kernel using common toolkits that can attack commonly deployed Content Management Systems with trivial effort. Compromising an unprivileged user account gives an attacker even more leverage against unpatched systems. Google CVE-2009-2695 and CVE-2010-3081 if you don't believe me.

If you run a production system or even a backend system that is exposed to the big, bad Internet, it is absolutely essential to make sure that your kernel, software, and security measures are up to date. Today's Slashdot article is tomorrow's exploit.

What lesson can we learn from the unfortunate folks at Jurassic Park? Don't assume your server is safe and don't wait until there are velociraptors roaming your halls looking for a snack to perform proper maintenance on your system.

-Adam

December 6, 2010

I, the undersigned, certify under penalty of perjury...

“I, the undersigned, certify under penalty of perjury”, “We believe the following host has recently been compromised”, “I received the below unsolicited commercial e-mail”, are a few statements that we as The Softlayer Abuse Department receive on a routine basis. The responsibility of responding to these quite serious matters in of itself is what gives us our motivation and niche in the overall scheme of this company: the protection of our networks global reputation. Without a firm and diligent abuse department, many of our customers would experience extreme packet loss left and right. Some customers may be affected by another provider’s block on an entire subnet, due to a single server periodically attacking their network for a month. Others would assuredly have their IP addresses consistently listed in spam databases, and therefore restricting e-mail contact to most or all of their clients. So in order to help keep these things from happening; we need to ensure that any reported or detected abusive activities occurring on our network are thoroughly responded to. We do this by analyzing abuse reports, determining the nature of the issues, and if an issue is valid, a ticket is opened with the customer for further correspondence as we track the issues resolution. At the same time, we maintain communication with other organizations and providers to ensure that matters are quickly addressed.

While most issues are resolved, or are being resolved within 24 to 72 hours, some issues require a quicker response. One of these is Phishing sites, which need to be removed within a shorter time frame. Our procedures regarding these sites are due to the fact that they are one of the most dangerous and wide spread issues on the internet today. If you’re not familiar with, or just want to read up on some of the latest news regarding these sites, you can get everything you need to know at APWG’s (Anti-Phishing Working Group) website. Softlayer’s membership within APWG allows us access to the most recent industry level trends and activities for a range of abusive issues. This gives us a much greater insight and oversight to identify and resolve issues that are negatively affecting our network. I can’t speak too much publicly past the above general time frames; since most abuse work is to some degree like spam filters, immediate disclosure of detection methods and procedures would render them useless. However, I can say that we believe one of the most effective methods for combating phishing is consumer education. If users are familiar with how fraudulent operations work, they are more likely to recognize components of them when they see them and not become victims. In support of this concept, we encourage all of our customers to respond to phishing site ’take downs’ by replacing the phishing site with a redirect to the APWG’s phishing education landing page. This page is an informative document that explains to the user that they were about to become a victim of illegal activity, and goes on to explain phishing in more detail. Most people in today’s modern society won’t go too far out of their way to obtain new information regarding trends in cybercrime. As such, the moment in which someone is about to be the victim of a phishing scam is considered to the ‘teachable moment’. This is the moment that someone has clicked on a link that they believe goes to their banks’ website, but are redirected to an educational page about phishing instead. The page is also configured to work with a variety of different languages, based on the client browser settings. As more people encounter the APWG’s landing page instead of a phishing site, the faster phishing education will spread and the less number of potential victims will exist. You may find information on how to implement the redirect here.

One of the next most concerning matters that we address is, servers being used by unauthorized third parties to conduct some form of outbound attack. While each are in there own way malicious and need the same attention, here’s a few specifics on some of the general different types. Password Cracking/Brute Force – this is typically done by malicious content attacking multiple hosts simultaneously while attempting various username and password combinations, typically with a massive list of pre-defined words. One of the easiest ways to help protect a server against being effected is to change at least your SSH, FTP, RDP, to non standard ports and ensure that you have complex passwords. I would also advise enabling account lockouts after a certain number of failed login attempts. Another predominant type of malicious scanning is doing so on an entire netblock by checking each host within them to see if one or more ports are open per host, which is then reported back to a database for later use in the latter form of attack. Essentially anything that is in some way part of an intrusion attempt is a priority.

Next we move on to an area of abuse that has most likely affected all of us at some point in time – Malware. This is a very general term we use to describe any software that has been written with malicious intent. The possible functions and uses for malware are only limited by the imagination and the software platforms that they are built upon, assuming that the infection process doesn’t accidentally crash the server. Various forms of malware have been identified as responsible for every type of abuse issue noted in this article at some point in time. While at the same time, malware on your server is not the guaranteed reason it may be conducting outbound abusive activities. Most specific malware related tickets are in reference to a single or series of malicious files that are publicly accessible. These issues are often resolved quickly upon deletion of the file(s) in question. However, it is also equally as important to ensure that any security vulnerabilities that allowed these files to be uploaded are repaired, or you can almost guarantee that the problem will reoccur. Microsoft reported that during the 1st half of 2008, over 90% of system vulnerability and subsequent infections were attributable to ‘weak’ applications rather than malware targeting the operating system itself. – Microsoft S.I.R. Vulnerabilities within the application layer remained the predominant risk throughout the 2nd half of 2008 as well. Malware in general has remained a formidable electronic adversary through 2009 and on to the present. As such, it is very important to ensure that you are using the most current version of all installed applications, and that they were written by a trusted source in addition to the maintaining the operating system security.

One very common form of malware effecting servers is an IRC(Internet Relay Chat) bot. One bot alone can be responsible for the infections of countless other machines. This is commonly done by injecting malicious code into poorly written PHP scripts. However, the bigger problem with an IRC bot is the fact that it’s connected to an IRC Botnet Controller, which is capable of commanding massive amounts of infected hosts simultaneously. While these are typically used for spam or other similar illicit activities, there is still the potential for the infected servers to be involved with even worse situations. These are in effect: A virtual army that’s literally capable of taking small countries off of the internet grid. In June of 2007, the F.B.I. initiated operation ‘Bot Roast’ an ongoing investigation to locate the people behind the wires. But in the mean time, needless to say, these matters need to be addressed as soon as possible.

During our triaging of abuse reports, we also address the very common issue of Spam. The three major types listed in order of priority are: Phishing, General Fraudulence, and other infected hosts Spam. However, you may also be audited, if you will, with a Spam ticket regarding a mailing list one of your clients is operating. For additional information regarding email marketing and the industry’s best practices, spamhaus.org's FAQ is a very useful resource.

Keeping the above in mind, there is also one last thing to consider; maintain a backup of all removed malicious content after it has been found. This evidence could prove invaluable to law enforcement, should the request for it be presented. We also encourage you to review your access logs to determine the source IP address(s) of any intruder or other malicious entity, such that you may report it to the appropriate organization. As it is with many other aspects of life, communication regarding these issues remains critical for timely and appropriate resolutions.

-Andrew Smith - Martinez

Categories: 
Subscribe to security