Scott Brown Consulting

Wikipedia: Advanced Encryption Standard

A Look at the Performance Impact of Hardware-Accelerated AES

scott — Tue, 18 Oct 2011 08:37:04 +0000

In 2010, semiconductor manufacturers began migrating the algorithmically intensive portions of the AES cipher on-die in the form of the AES-NI instruction set. Many cryptographic APIs and applications have enabled support for this new technology, and none hesitate to tout the promise of major performance improvements. Intel demonstrates 3x to 10x acceleration versus pure software implementations, while the authors of TrueCrypt set the expectation of 4x to 8x speed gains. Can these performance boosts be recognized in practice, and how much of these gains can be captured in present day, real world scenarios?

Measured “in the vacuum” of the main memory bus, AES-NI certainly delivers on its performance promises. The following benchmarks were recorded with TrueCrypt’s integrated benchmarking facility on a system equipped with an Intel Core i5-2520M Sandy Bridge processor sporting the AES extensions. When enabled on this system, hardware acceleration was observed to result in a more than 5x speed boost in AES encryption and decryption performance, bumping throughput up from 277 MB/s to 1.5 GB/s. Even cascaded modes recognized significant speed gains.

Real world applications, however, do not take place in a vacuum, and most users would be hard pressed to bring a data stream with anywhere close to even the lower of the two measured speeds in scope. Encrypted streams don’t spontaneously originate in main memory with its tens of GB/s of bandwidth. They come from storage devices and network sockets. No rotating mechanical disk drive achieves such high transfer rates at this time (try ~120 MB/s), nor does gigabit ethernet (125 MB/s). Contemporary SATA controllers do in theory (300 MB/s and 600 MB/s), and solid state disks can max out their bandwidth, but do not mix well with encryption due to wear leveling. Some RAID configurations could go there in theory, but doubtfully in practice. 10 gigabit ethernet (1.25 GB/s) could break these speeds, but is limited to exotic applications. In fact, network hardware that can operate at such speeds is largely restricted to industrial contexts.

When performance demand is less than what could be supplied absent hardware acceleration, the acceleration is a “nice to have” and might have incidental benefits, however in throughput terms its performance impact is zero. Hardware-accelerated AES can ultimately only be said to yield a material, tangible speed boost when the AES cipher is operating on a stream of greater bandwidth than a software-only implementation could keep up with at that time. This is not typically the case in practical scenarios with realistic present day hardware.

So, does AES-NI make a difference? Absolutely. It all but eliminates the possibility that the cipher will act as the performance bottleneck in any given application. It reduces the risk of an erroneous or adulterated AES implementation in software, and it mitigates side channel attacks. It conserves CPU cycles, which conserves power. And, there are circumstances when hardware-accelerated AES would have unambiguous, meaningful performance impact:

• When the stream is extremely fast: you’re lucky enough to have an unusually high performance configuration, you’re in a research lab, or you’re in the future with more advanced hardware than exists today

• When the CPU is underpowered with respect to the other bottlenecks in the system: this could be a factor as AES-NI becomes available on lower powered chips, although, every model Intel has shipped with AES on-die appears to be no less than half as fast as that tested here

• When the CPU is substantially taxed at the time by other processes, which is wholly conceivable

But, in spite of all the benefits hardware accelerated AES brings, it would be naive to regard the technical upper speed limits illustrated in benchmarks as real world performance targets. AES-NI is better viewed as future-proofing, which is no doubt what Intel and AMD are up to with their investment in AES technology.

Resources

Wikipedia: AES-NI instruction set

Intel: Advanced Encryption Standard Instructions (AES-NI)

TrueCrypt: Hardware Acceleration

Wikipedia: List of Device Bandwidths

Wikipedia: Disk Drive Performance Characteristics

SSDs and TrueCrypt: Durability and Performance Issues

Intel Product Search: AES-NI

TrueCrypt 7.1 Released

scott — Fri, 02 Sep 2011 00:46:18 +0000

Sparse remarks in the changelog for today’s updated release of the TrueCrypt free open-source disk encryption tool, version 7.1, the first new release in nearly a year. Primarily it looks like they have added support for Mac OS X 10.7 Lion. I venture the usual assessment that this update may safely be viewed as optional for users already running at least TrueCrypt 7.0, the most recent major release, absent those experiencing any specific issues.

7.1

September 1, 2011

New features:

Full compatibility with 64-bit and 32-bit Mac OS X 10.7 Lion

Improvements and bug fixes:

Minor improvements and bug fixes (Windows, Mac OS X, and Linux)

I’ll be upgrading several systems here from version 7.0a and expect zero issues. I’ve been running TrueCrypt since version 6.0a in late 2008, and never experienced a single issue upgrading or at any other time. It’s a rock solid program, though the authors are something of a black hole.

If you don’t already have Full Disk Encryption on your portable laptop or notebook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert consultant perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt 7.0a Released

scott — Tue, 07 Sep 2010 17:48:50 +0000

A minor bugfix update to the TrueCrypt disk encryption tool, version 7.0a, was released yesterday. The release notes cite minor bugfixes only, so this update may be viewed as optional for users already running at least TrueCrypt 7.0, the most recent major release, absent those experiencing any specific issues.

In terms of the impacted segment of users, the release notes call out a workaround for an issue affecting Windows Vista and later operating systems only (but not Windows XP) and only with specific storage controller device drivers present.

7.0a

September 6, 2010

Improvements:

Workaround for a bug in some custom (non-Microsoft) drivers for storage device controllers that caused a system crash when initiating hibernation on TrueCrypt-encrypted operating systems. (Windows 7/Vista/2008/2008R2)

Other minor improvements (Windows, Mac OS X, and Linux)

Bug fixes:

Minor bug fixes (Windows, Mac OS X, and Linux)

I’d make this to be pretty limited in extent, and for a fact it doesn’t impact my installations, all Windows XP systems. But, all the same, I’ve updated three systems here at the lab from version 7.0 without issue.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt 7.0 Released, Supports Hardware-Accelerated AES

scott — Wed, 21 Jul 2010 05:50:56 +0000

A major, feature-rich update to the TrueCrypt disk encryption tool hit the wire yesterday, notably adding support for Intel’s on-die AES-NI instruction set in Westmere class processors and newer. The authors claim a juicy 4 to 8 times performance leap for hardware-accelerated AES over a pure software implementation.

AES is the Advanced Encryption Standard, the open, powerful encryption cipher officially sanctioned by the Federal government in 2001 for the encryption of top secret information. It has since become so ubiquitous that, as of this year, chip maker Intel has begun burning the logic underlying AES right on to new chips in hard-wired, transistorized form, allowing encryption and decryption duties to be offloaded from software applications for increased security, reliability and performance.

AES is also the fastest of three ciphers supported by TrueCrypt and the default cipher when creating new volumes. With version 7.0 the TrueCrypt development team has made good on their longstanding promise of a future release that would leverage hardware-accelerated AES capabilities when present.

The new version also sports a variety of other usability, technical, and security improvements, including a number of convenience features involving Favorite Volumes (a feature I seldom use personally), and hardening of Hibernation File encryption under Windows Vista and 7 in the case that Full Disk Encryption is not in force (which is an ill-chosen configuration anyway). And, support for native volume encryption of floppy disks is dropped, presumably since no one has even seen a working floppy disk in years.

As the major version number increment suggests, this update is highly recommended for all users running previous versions. I’ve updated three systems here at the lab from version 6.3a without issue, although sadly, none of the three have new enough CPUs to do hardware-accelerated AES.

7.0

July 19, 2010

      New features:

Hardware-accelerated AES (for more information, see the chapter Hardware Acceleration).

Note: If you want to disable hardware acceleration, select Settings > Performance and disable the option ‘Accelerate AES encryption/decryption by using the AES instructions of the processor‘.

A volume can now be configured to be automatically mounted whenever its host device gets connected to the computer (provided that the correct password and/or keyfiles are supplied). (Windows)

Note: For example, if you have a TrueCrypt container on a USB flash drive and you want to configure TrueCrypt to mount it automatically whenever you insert the USB flash drive into the USB port, follow these steps: 1. Mount the volume. 2. Right-click the mounted volume in the drive list in the main TrueCrypt window and select ‘Add to Favorites‘. 3. The Favorites Organizer window should appear. In it, enable the option ‘Mount selected volume when its host device gets connected‘ and click OK.

Also note that TrueCrypt will not prompt you for a password if you have enabled caching of the pre-boot authentication password (Settings > ‘System Encryption‘) and the volume uses the same password as the system partition/drive. The same applies to cached non-system volume passwords.

Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes (Windows, Linux). Note: Previously only file-hosted volumes were supported on such drives.

Favorite Volumes Organizer (Favorites > ‘Organize Favorite Volumes‘ or ‘Organize System Favorite Volumes‘), which allows you to set various options for each favorite volume. For example, any of them can be mounted upon logon, as read-only or removable medium, can be assigned a special label (which is shown within the user interface instead of the volume path), excluded from hotkey mount, etc. The order in which favorite volumes are displayed in the Favorites Organizer window can be changed and it is the order in which the volumes are mounted (e.g. when Windows starts or by pressing the ‘Mount Favorite Volumes‘ hotkey). For more information, see the chapters Favorite Volumes and System Favorite Volumes.  (Windows)

The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted. (Windows)

      Security improvements:

In response to our public complaint regarding the missing API for encryption of Windows hibernation files, Microsoft began providing a public API for encryption of hibernation files on Windows Vista and later versions of Windows (for more information, see the section TrueCrypt 5.1a in this version history). Starting with this version 7.0, TrueCrypt uses this API to encrypt hibernation and crash dump files in a safe documented way. (Windows 7/Vista/2008/2008R2)

Note: As Windows XP and Windows 2003 do not provide any API for encryption of hibernation files, TrueCrypt has to modify undocumented components of Windows XP/2003 in order to allow users to encrypt hibernation files. Therefore, TrueCrypt cannot guarantee that Windows XP/2003 hibernation files will always be encrypted. Therefore, if you use Windows XP/2003 and want the hibernation file to be safely encrypted, we strongly recommend that you upgrade to Windows Vista or later and to TrueCrypt 7.0 or later. For more information, see the section Hibernation File.

      Improvements:

Many minor improvements. (Windows, Mac OS X, and Linux)

      Bug fixes:

Minor bug fixes. (Windows, Mac OS X, and Linux)

      Removed features:

TrueCrypt no longer supports device-hosted volumes located on floppy disks. Note: You can still create file-hosted TrueCrypt volumes on floppy disks.

The authors dropped a lot more detail in the release notes this time, which is highly appreciated.

Resources

Wikipedia: Advanced Encryption Standard

Wikipedia: AES Instruction Set

Wikipedia: Intel Westmere Architecture

Intel: Advanced Encryption Standard (AES) Instructions Set

Network Attackers: Where In The World 3

scott — Mon, 15 Feb 2010 20:19:02 +0000

Two previous rounds of analysis using IP geolocation with Whois (Part 1 and Part 2) revealed that 40% to 45% of network intrusion attempts arriving at my public-facing SSH port could be traced back to Chinese hackers, and 20% to 25% to attackers in Russia and Eastern Europe. The tally is now in from a third round of observations, boasting a significantly longer integration period (more than four months versus about six to seven weeks in the earlier rounds) and yielding plenty of interesting and even unexpected results.

First things first: logs do not lie, SSH Scan attacks are on the rise. Attacks occurred with an average frequency in round one of 0.583 per day; in round two there were 1.065 attacks seen per day; and in the round closing, I logged 1.417 attacks per day on average. Considering the total span of time under view as just eight short months, I would describe this escalation in the rate of a rather specialized and esoteric attack as rapid and alarming, and carrying the implication that more commonplace network attacks are likewise intensifying.

On 180 occasions between October 10, 2009 and February 13, 2010, intruders from 154 different IP addresses in 37 different counties were caught trying to gain illicit access to my server by dictionary attacking SSH service. Every one of these attackers was promptly blacklisted automatically by fail2ban. Repeat offenders numbering 16 came back for further punishment, none more frequently than our old friends at 61.129.60.23, “Shanghai Telecom Corporation EDI Branch” in Shanghai, China, familiar from being banned three times in round two – banned six times this round.

China maintained the dubious distinction of leadership position among all regions, chalking up 76 out of the 180 observed attacks or 42% share, consistent with expectations from past rounds. In fact, as the chart below illustrates, all other attack origins besides China occurred at a fraction the rate by comparison, suggesting more or less uniform or “background” frequency for their regions, leaving China dominant alone over all the world. (Better get used to that.)

Meanwhile, Russia and Eastern Europe logged an unexpectedly low share of all attack activity in light of past rounds, picking up only 15 attacks or 8% share. The same chart in earlier rounds showed 20% to 25% aggregate representation from Russia, Poland, and other satellite states of the former USSR – less pronounced than China but significantly greater than other regions. What happened to all the ex-Soviet bloc hackers that were tripping over themselves to break into my unremarkable Linux server prior to October? To tell you the truth, I don’t know. Either some factor caused this region to be spuriously overrepresented in rounds one and two, or some factor caused it to be spuriously underrepresented in round three, or the falloff is real.

China’s continued domination within the network intrusion arena should come as no surprise amid last month’s highly publicized allegations of state-sponsored electronic espionage and cyberwarfare, delivered at the hands of victimized Google. Forensics investigators purport that valuable data was bounced back to attackers through command and control servers in Illinois, Texas, and Taiwan, while Texas-based Rackspace, Inc. – from whose IP block, by the way, we were surreptitiously scanned in both rounds two and three – was specifically implicated. A malicious agent (Chinese or otherwise) that wished to mount attacks against valuable targets and dispose of their tracks after the fact would require to amass networks of such intermediate relays. The wide area network intrusion vector, unlike say, web or file-packaged attack vectors that target the endpoint, conveniently selects for systems that already have desirable open network posture and can act as relays once compromised.

For the record, here is the complete round three log detail:

2009-10-10 17:36:09,708 fail2ban.actions: WARNING [ssh] Ban 118.102.25.161
2009-10-11 08:25:28,208 fail2ban.actions: WARNING [ssh] Ban 218.206.243.243
2009-10-11 12:25:53,248 fail2ban.actions: WARNING [ssh] Ban 60.220.224.103
2009-10-11 13:59:52,288 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-10-12 04:46:43,358 fail2ban.actions: WARNING [ssh] Ban 82.118.208.167
2009-10-13 11:57:10,418 fail2ban.actions: WARNING [ssh] Ban 60.220.224.103
2009-10-13 18:26:40,478 fail2ban.actions: WARNING [ssh] Ban 217.8.80.220
2009-10-13 19:55:50,538 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184
2009-10-14 22:34:40,608 fail2ban.actions: WARNING [ssh] Ban 62.173.39.252
2009-10-15 09:24:09,688 fail2ban.actions: WARNING [ssh] Ban 173.15.102.65
2009-10-15 16:39:16,738 fail2ban.actions: WARNING [ssh] Ban 94.137.254.29
2009-10-16 02:53:34,798 fail2ban.actions: WARNING [ssh] Ban 190.81.28.182
2009-10-16 09:01:21,868 fail2ban.actions: WARNING [ssh] Ban 84.204.138.52
2009-10-16 14:16:53,958 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-10-16 19:28:09,018 fail2ban.actions: WARNING [ssh] Ban 59.52.255.63
2009-10-16 22:20:14,188 fail2ban.actions: WARNING [ssh] Ban 66.152.190.219
2009-10-17 16:13:07,308 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184
2009-10-18 09:58:48,758 fail2ban.actions: WARNING [ssh] Ban 77.247.212.56
2009-10-18 20:25:07,818 fail2ban.actions: WARNING [ssh] Ban 89.238.130.130
2009-10-19 03:53:36,858 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120
2009-10-19 05:42:36,908 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120
2009-10-20 10:28:29,068 fail2ban.actions: WARNING [ssh] Ban 117.21.241.10
2009-10-20 16:01:21,118 fail2ban.actions: WARNING [ssh] Ban 61.7.231.114
2009-10-21 07:34:29,188 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-10-25 13:04:55,820 fail2ban.actions: WARNING [ssh] Ban 89.171.125.198
2009-10-26 21:19:17,889 fail2ban.actions: WARNING [ssh] Ban 210.181.96.27
2009-10-28 17:14:32,199 fail2ban.actions: WARNING [ssh] Ban 202.107.209.33
2009-10-30 12:18:49,389 fail2ban.actions: WARNING [ssh] Ban 210.110.181.56
2009-10-30 14:59:54,429 fail2ban.actions: WARNING [ssh] Ban 125.206.243.126
2009-10-31 07:00:02,499 fail2ban.actions: WARNING [ssh] Ban 61.189.16.37
2009-10-31 10:28:25,539 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184
2009-10-31 22:23:25,590 fail2ban.actions: WARNING [ssh] Ban 110.172.24.28
2009-11-01 05:30:23,639 fail2ban.actions: WARNING [ssh] Ban 202.70.83.100
2009-11-01 10:38:04,129 fail2ban.actions: WARNING [ssh] Ban 210.110.181.56
2009-11-03 17:51:51,289 fail2ban.actions: WARNING [ssh] Ban 121.14.38.200
2009-11-05 03:59:41,419 fail2ban.actions: WARNING [ssh] Ban 174.143.170.13
2009-11-06 07:38:13,519 fail2ban.actions: WARNING [ssh] Ban 74.205.222.26
2009-11-06 09:01:20,583 fail2ban.actions: WARNING [ssh] Ban 124.254.14.153
2009-11-07 09:50:34,689 fail2ban.actions: WARNING [ssh] Ban 87.118.90.17
2009-11-07 20:56:51,779 fail2ban.actions: WARNING [ssh] Ban 209.12.229.206
2009-11-08 21:58:55,190 fail2ban.actions: WARNING [ssh] Ban 72.55.143.45
2009-11-10 09:22:31,309 fail2ban.actions: WARNING [ssh] Ban 121.96.25.101
2009-11-12 08:23:42,439 fail2ban.actions: WARNING [ssh] Ban 78.32.130.35
2009-11-12 10:28:31,480 fail2ban.actions: WARNING [ssh] Ban 222.74.228.158
2009-11-12 19:13:48,539 fail2ban.actions: WARNING [ssh] Ban 67.225.232.40
2009-11-13 13:04:27,619 fail2ban.actions: WARNING [ssh] Ban 119.161.145.162
2009-11-14 05:45:33,690 fail2ban.actions: WARNING [ssh] Ban 210.192.123.204
2009-11-14 23:22:29,769 fail2ban.actions: WARNING [ssh] Ban 124.124.105.235
2009-11-16 03:23:52,249 fail2ban.actions: WARNING [ssh] Ban 58.218.250.111
2009-11-16 04:25:32,299 fail2ban.actions: WARNING [ssh] Ban 67.63.160.133
2009-11-16 23:48:03,369 fail2ban.actions: WARNING [ssh] Ban 202.73.10.176
2009-11-17 08:17:49,419 fail2ban.actions: WARNING [ssh] Ban 63.247.65.146
2009-11-21 06:36:19,900 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-11-22 12:18:36,329 fail2ban.actions: WARNING [ssh] Ban 123.129.212.212
2009-11-22 12:29:21,369 fail2ban.actions: WARNING [ssh] Ban 113.105.0.205
2009-11-22 12:47:04,410 fail2ban.actions: WARNING [ssh] Ban 219.117.253.94
2009-11-22 19:07:10,750 fail2ban.actions: WARNING [ssh] Ban 95.158.128.18
2009-11-23 04:18:06,799 fail2ban.actions: WARNING [ssh] Ban 125.248.158.236
2009-11-23 07:01:50,489 fail2ban.actions: WARNING [ssh] Ban 91.211.117.51
2009-11-23 17:22:21,559 fail2ban.actions: WARNING [ssh] Ban 211.99.150.154
2009-11-24 14:10:56,679 fail2ban.actions: WARNING [ssh] Ban 219.117.221.234
2009-11-24 18:17:00,729 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114
2009-11-25 10:29:50,590 fail2ban.actions: WARNING [ssh] Ban 173.45.92.122
2009-11-25 22:42:42,659 fail2ban.actions: WARNING [ssh] Ban 38.101.67.253
2009-11-26 02:55:26,719 fail2ban.actions: WARNING [ssh] Ban 202.54.54.234
2009-11-27 07:52:13,889 fail2ban.actions: WARNING [ssh] Ban 83.41.203.67
2009-11-27 09:53:04,929 fail2ban.actions: WARNING [ssh] Ban 118.212.129.145
2009-11-27 23:12:00,790 fail2ban.actions: WARNING [ssh] Ban 78.110.167.178
2009-11-28 04:28:26,839 fail2ban.actions: WARNING [ssh] Ban 202.104.148.229
2009-11-29 09:34:55,619 fail2ban.actions: WARNING [ssh] Ban 75.127.173.222
2009-11-30 07:16:06,790 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-12-03 05:08:01,162 fail2ban.actions: WARNING [ssh] Ban 210.48.153.214
2009-12-04 04:42:49,252 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114
2009-12-04 17:56:42,342 fail2ban.actions: WARNING [ssh] Ban 201.0.145.106
2009-12-05 11:35:18,432 fail2ban.actions: WARNING [ssh] Ban 83.83.106.128
2009-12-06 06:23:28,870 fail2ban.actions: WARNING [ssh] Ban 203.94.1.23
2009-12-07 00:48:35,190 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-12-08 22:59:35,280 fail2ban.actions: WARNING [ssh] Ban 121.10.141.118
2009-12-10 03:29:02,420 fail2ban.actions: WARNING [ssh] Ban 210.0.144.109
2009-12-11 21:37:14,490 fail2ban.actions: WARNING [ssh] Ban 218.206.243.243
2009-12-12 00:11:46,530 fail2ban.actions: WARNING [ssh] Ban 78.111.99.186
2009-12-12 02:03:41,570 fail2ban.actions: WARNING [ssh] Ban 78.111.99.186
2009-12-12 08:26:37,610 fail2ban.actions: WARNING [ssh] Ban 187.45.205.140
2009-12-12 10:26:32,660 fail2ban.actions: WARNING [ssh] Ban 148.235.76.114
2009-12-12 13:16:51,700 fail2ban.actions: WARNING [ssh] Ban 219.148.111.179
2009-12-12 15:00:02,740 fail2ban.actions: WARNING [ssh] Ban 212.30.22.69
2009-12-13 08:27:25,780 fail2ban.actions: WARNING [ssh] Ban 58.211.168.252
2009-12-13 14:27:42,850 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181
2009-12-14 04:42:02,920 fail2ban.actions: WARNING [ssh] Ban 74.205.222.27
2009-12-14 14:10:39,960 fail2ban.actions: WARNING [ssh] Ban 221.122.41.60
2009-12-14 16:44:37,000 fail2ban.actions: WARNING [ssh] Ban 201.0.210.186
2009-12-15 08:09:33,070 fail2ban.actions: WARNING [ssh] Ban 202.69.103.98
2009-12-15 16:45:51,110 fail2ban.actions: WARNING [ssh] Ban 221.122.41.60
2009-12-16 17:34:06,180 fail2ban.actions: WARNING [ssh] Ban 202.95.230.4
2009-12-17 09:08:59,230 fail2ban.actions: WARNING [ssh] Ban 201.238.235.11
2009-12-17 15:18:55,280 fail2ban.actions: WARNING [ssh] Ban 121.207.251.81
2009-12-17 16:51:06,320 fail2ban.actions: WARNING [ssh] Ban 195.149.118.43
2009-12-20 09:45:10,750 fail2ban.actions: WARNING [ssh] Ban 62.181.56.206
2009-12-20 15:30:20,792 fail2ban.actions: WARNING [ssh] Ban 124.127.117.20
2009-12-21 08:08:01,850 fail2ban.actions: WARNING [ssh] Ban 208.70.160.43
2009-12-22 13:23:48,920 fail2ban.actions: WARNING [ssh] Ban 196.15.143.106
2009-12-24 23:13:51,130 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102
2009-12-25 02:06:26,180 fail2ban.actions: WARNING [ssh] Ban 124.127.117.20
2009-12-25 04:36:57,220 fail2ban.actions: WARNING [ssh] Ban 122.160.65.107
2009-12-25 09:57:32,270 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114
2009-12-25 16:01:32,330 fail2ban.actions: WARNING [ssh] Ban 81.236.152.229
2009-12-25 20:33:16,390 fail2ban.actions: WARNING [ssh] Ban 59.108.230.130
2009-12-27 00:43:14,470 fail2ban.actions: WARNING [ssh] Ban 117.135.138.183
2009-12-27 14:11:23,840 fail2ban.actions: WARNING [ssh] Ban 59.46.39.204
2009-12-27 15:51:28,920 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102
2009-12-27 18:51:41,960 fail2ban.actions: WARNING [ssh] Ban 118.98.163.214
2009-12-27 22:00:33,010 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102
2009-12-28 00:03:07,070 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120
2009-12-29 05:56:58,230 fail2ban.actions: WARNING [ssh] Ban 195.189.140.82
2009-12-30 05:23:09,290 fail2ban.actions: WARNING [ssh] Ban 96.57.49.213
2009-12-30 12:29:49,360 fail2ban.actions: WARNING [ssh] Ban 200.169.98.50
2010-01-03 07:24:36,982 fail2ban.actions: WARNING [ssh] Ban 72.252.249.10
2010-01-04 04:31:14,050 fail2ban.actions: WARNING [ssh] Ban 222.124.195.2
2010-01-04 14:09:37,100 fail2ban.actions: WARNING [ssh] Ban 174.142.32.175
2010-01-05 16:54:06,150 fail2ban.actions: WARNING [ssh] Ban 201.38.138.2
2010-01-06 15:10:48,210 fail2ban.actions: WARNING [ssh] Ban 123.129.202.199
2010-01-07 03:20:17,270 fail2ban.actions: WARNING [ssh] Ban 89.140.94.122
2010-01-07 06:16:27,310 fail2ban.actions: WARNING [ssh] Ban 222.45.235.74
2010-01-08 21:30:04,440 fail2ban.actions: WARNING [ssh] Ban 60.212.42.11
2010-01-09 07:05:34,480 fail2ban.actions: WARNING [ssh] Ban 93.180.91.254
2010-01-09 08:21:17,520 fail2ban.actions: WARNING [ssh] Ban 222.73.68.164
2010-01-11 23:49:38,910 fail2ban.actions: WARNING [ssh] Ban 84.38.18.74
2010-01-12 07:08:27,950 fail2ban.actions: WARNING [ssh] Ban 58.22.102.169
2010-01-13 12:36:45,020 fail2ban.actions: WARNING [ssh] Ban 63.208.120.229
2010-01-15 08:22:30,220 fail2ban.actions: WARNING [ssh] Ban 119.161.144.182
2010-01-15 11:51:12,260 fail2ban.actions: WARNING [ssh] Ban 61.82.144.2
2010-01-15 19:21:04,340 fail2ban.actions: WARNING [ssh] Ban 62.101.89.125
2010-01-16 05:19:15,380 fail2ban.actions: WARNING [ssh] Ban 189.114.59.200
2010-01-16 22:46:29,450 fail2ban.actions: WARNING [ssh] Ban 222.73.68.164
2010-01-17 06:28:36,490 fail2ban.actions: WARNING [ssh] Ban 218.241.173.35
2010-01-17 15:13:26,110 fail2ban.actions: WARNING [ssh] Ban 203.240.201.98
2010-01-18 10:19:51,190 fail2ban.actions: WARNING [ssh] Ban 222.208.183.21
2010-01-19 06:55:38,270 fail2ban.actions: WARNING [ssh] Ban 212.13.197.42
2010-01-19 09:14:51,340 fail2ban.actions: WARNING [ssh] Ban 190.81.104.28
2010-01-19 10:21:33,390 fail2ban.actions: WARNING [ssh] Ban 59.37.54.48
2010-01-22 02:15:50,540 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181
2010-01-22 21:30:19,662 fail2ban.actions: WARNING [ssh] Ban 81.10.208.178
2010-01-23 00:58:29,702 fail2ban.actions: WARNING [ssh] Ban 213.154.72.72
2010-01-23 03:52:43,742 fail2ban.actions: WARNING [ssh] Ban 77.92.148.23
2010-01-23 06:21:06,782 fail2ban.actions: WARNING [ssh] Ban 189.1.164.92
2010-01-23 14:13:19,822 fail2ban.actions: WARNING [ssh] Ban 59.108.53.212
2010-01-23 14:35:03,862 fail2ban.actions: WARNING [ssh] Ban 60.28.183.156
2010-01-24 05:49:56,932 fail2ban.actions: WARNING [ssh] Ban 60.217.32.137
2010-01-24 10:16:58,352 fail2ban.actions: WARNING [ssh] Ban 75.141.200.176
2010-01-24 11:33:19,392 fail2ban.actions: WARNING [ssh] Ban 119.6.126.2
2010-01-24 17:31:13,442 fail2ban.actions: WARNING [ssh] Ban 140.128.101.230
2010-01-25 07:03:13,492 fail2ban.actions: WARNING [ssh] Ban 210.175.111.28
2010-01-25 15:33:13,562 fail2ban.actions: WARNING [ssh] Ban 58.19.182.194
2010-01-26 20:07:46,702 fail2ban.actions: WARNING [ssh] Ban 124.30.230.147
2010-01-27 16:22:59,812 fail2ban.actions: WARNING [ssh] Ban 222.195.137.249
2010-01-28 01:56:26,862 fail2ban.actions: WARNING [ssh] Ban 125.210.34.228
2010-01-28 23:00:18,942 fail2ban.actions: WARNING [ssh] Ban 218.106.96.230
2010-01-31 05:46:58,522 fail2ban.actions: WARNING [ssh] Ban 84.235.124.106
2010-02-01 23:58:00,332 fail2ban.actions: WARNING [ssh] Ban 220.227.125.100
2010-02-02 13:05:46,423 fail2ban.actions: WARNING [ssh] Ban 219.153.34.206
2010-02-03 15:00:05,513 fail2ban.actions: WARNING [ssh] Ban 119.93.16.36
2010-02-05 02:46:58,261 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2010-02-07 04:34:23,998 fail2ban.actions: WARNING [ssh] Ban 121.37.58.49
2010-02-07 06:29:54,038 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43
2010-02-07 06:38:07,398 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43
2010-02-07 22:15:53,889 fail2ban.actions: WARNING [ssh] Ban 84.235.124.106
2010-02-08 06:07:42,929 fail2ban.actions: WARNING [ssh] Ban 111.73.45.211
2010-02-08 09:47:12,989 fail2ban.actions: WARNING [ssh] Ban 124.74.243.79
2010-02-08 18:52:28,039 fail2ban.actions: WARNING [ssh] Ban 222.124.195.2
2010-02-09 04:50:38,079 fail2ban.actions: WARNING [ssh] Ban 124.207.40.151
2010-02-10 04:13:38,149 fail2ban.actions: WARNING [ssh] Ban 221.195.68.74
2010-02-10 09:54:07,209 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43
2010-02-10 14:55:55,259 fail2ban.actions: WARNING [ssh] Ban 98.117.120.78
2010-02-11 02:35:12,319 fail2ban.actions: WARNING [ssh] Ban 218.3.88.114
2010-02-11 08:59:15,361 fail2ban.actions: WARNING [ssh] Ban 58.216.152.134
2010-02-11 18:45:17,407 fail2ban.actions: WARNING [ssh] Ban 121.34.248.1
2010-02-11 21:37:00,447 fail2ban.actions: WARNING [ssh] Ban 193.192.238.10
2010-02-11 23:13:16,487 fail2ban.actions: WARNING [ssh] Ban 122.129.241.73
2010-02-12 03:25:44,537 fail2ban.actions: WARNING [ssh] Ban 220.90.134.2
2010-02-13 16:45:00,627 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181

Who is at risk from this hacking activity? Service providers have the most direct exposure and should think long and hard about their perimeter defenses. Weak passwords on any WAN-facing service are an open invite to compromise. The most diligently patched, up to date system will get taken down in an instant on bad password security (as in this example), though in that case the intruder probably won’t be able to gain root. Risk analysis used to be predicated upon the dollar value of data on the host – e.g., Ann’s knitting store site merited less intrusion protection than a large merchant site server or a banking web application. In the new threat environment where every shell compromise might well be one hop away from a national security breach, can system administrators continue to be so lax?

Resources

Wikipedia: Operation Aurora

Wired: Threat Level – Google Attack Details

SecurityFocus Infocus: Responding to a Brute Force SSH Attack

Cyberwarfare Rages, Guess Where

scott — Wed, 13 Jan 2010 02:22:52 +0000

Late breaking articles from the New York Times and Wall Street Journal this evening caught my eye, wherein one seriously pissed off Google Inc opens up a surprisingly hard line against Beijing:

NYT: Google, Citing Cyber Attack, Threatens to Exit China

Google threatened late Tuesday to pull out of its operations in China after it said it had uncovered a massive cyber attack on its computers that originated there.

As a result, the company said, it would no longer agree to censor its search engine in China and may exit the country altogether.

Google said that a primary goal of the attackers was accessing the Gmail accounts of Chinese human right activists, but that the attack also targeted 20 other large companies…

“We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China,” …adding that the decision was being driven by executives in the United States, “without the knowledge or involvement of our employees in China.”

Google did not publicly link the Chinese government to the cyber attack, but people with knowledge of Google’s investigation said they had enough evidence to justify its actions.

34 companies were targeted… The attacks came from Taiwanese Internet addresses… stolen documents were sent electronically to a server controlled by Rackspace, based in San Antonio.

The official statement from the Google Legal chief comes short of, but leaves no mistaking, that these intrusions were definitively determined to be PRC state-sponsored activity, although originating from Taiwanese IPs.

WSJ: Google Warns of China Exit Over Hacking

Google Inc. said it may leave China after an investigation found the company had been hit with major cyber attacks it believes originated from the country…

Investigators are probing whether the attack is linked to the Chinese government or intelligence services… The attack has piqued the interest of U.S. intelligence agencies, including the National Security Agency…

For Google to withdraw from China would be an extremely rare repudiation by a Western company of what is almost universally seen in big business as one of the world’s most important markets. Even the public suggestion that it is considering such a move is likely to infuriate Chinese authorities.

Google said… it was making its move because it detected a “highly sophisticated and targeted attack on our corporate infrastructure originating from China” in mid-December. Google said the attack resulted in “the theft of intellectual property from Google.”

The perpetrators launched the attacks from at least six Internet addresses located in Taiwan, which is a common strategy used by Chinese hackers to mask their origin… The attackers used at least seven different types of attack code…

I’ve been harping on the phenomenon of Chinese cybercriminals, but of course Chinese cybersoldiers are just the flip-side of the same coin.

Now at least we know why Chinese hackers want in to my SSH server so bad… for use in mounting distributed attacks against Gmail.

I think Google will turn more conciliatory in the coming days to save face and their high growth revenue interests, but we are surely witnessing what will go down in socio/military/political history books as one of the more pronounced, and certainly most publicly visible, opening volleys on the cyberwarfare front.

Resources

NYT: Google, Citing Cyber Attack, Threatens to Exit China

WSJ: Google Warns of China Exit Over Hacking

Wikipedia: Cyberwarfare

TrueCrypt 6.3a Released

scott — Wed, 25 Nov 2009 03:33:44 +0000

A minor maintenance update to disk encryption tool TrueCrypt was released yesterday. The release notes cite bugfixes only, so this update may be viewed as optional for users already running at least TrueCrypt 6.1a, the last “highly recommended” maintenance update, absent those experiencing any specific issues.

6.3a

November 23, 2009

Improvements and bug fixes:

Minor improvements and bug fixes. (Windows, Mac OS X, and Linux)

Such glaring lack of detail in the release notes leaves upgraders unable to ascertain whether the newest fixes do or do not apply to their installations. I have complained about the lack of transparency before though, so I guess the developers have not dropped by. Are there performance improvements, security fixes, new features, or all of the above? Do they apply only to a specific architecture, or everyone? TrueCrypt: your users need to know these things.

In any event I will perform the upgrade to 6.3a on my affected systems for the sake of keeping current.

Resources

TrueCrypt 6.3 Released

scott — Wed, 21 Oct 2009 21:48:31 +0000

The latest maintenance release of disk encryption tool TrueCrypt made general availability today, adding most notably updated operating system support, including support for Windows 7 and Mac OS X 10.6. The release notes don’t indicate anything terrifically critical, so this release may be viewed as optional for users already running at least TrueCrypt 6.1a, the last “highly recommended” maintenance update. That being said, I’ll be immediately updating all installations.

6.3

October 21, 2009

      New features:

Full support for Windows 7.

Full support for Mac OS X 10.6 Snow Leopard.

The ability to configure selected volumes as ‘system favorite volumes’. This is useful, for example, when you have volumes that need to be mounted before system and application services start and before users start logging on. It is also useful when there are network-shared folders located on a TrueCrypt volume and you need to ensure that the network shares will be restored by the system each time it is restarted. For more information, see the chapter ‘Main Program Window‘, section ‘Program Menu‘, subsection ‘Volumes -> Save Currently Mounted Volumes as Favorite‘ in the documentation. (Windows)

      Improvements and bug fixes:

‘Favorite’ volumes residing within partitions or dynamic volumes will no longer be affected by changes in disk device numbers, which may occur, e.g., when a drive is removed or added. (Windows)

Many other minor improvements and bug fixes.  (Windows, Mac OS X, and Linux)

The release notes always say “Many other minor improvements and bug fixes.” For once I would like to know what exactly the improvements and bugfixes include in detail. If there’s one complaint I have about TrueCrypt it’s lack of transparency from the developers.

The in situ version update procedure is fairly trivial, overwriting the installed version of the application and rewriting an updated boot loader in the case of Full Disk Encryption. The end-to-end drive encryption pass does not have to be run again (a common concern). It is recommended (not enforced, but highly advisable) to burn an updated rescue CD for FDE systems since the boot loader has changed – I always do.

Resources