AES is the Advanced Encryption Standard, the open, powerful encryption cipher officially sanctioned by the Federal government in 2001 for the encryption of top secret information. It has since become so ubiquitous that, as of this year, chip maker Intel has begun burning the logic underlying AES right on to new chips in hard-wired, transistorized form, allowing encryption and decryption duties to be offloaded from software applications for increased security, reliability and performance.

AES is also the fastest of three ciphers supported by TrueCrypt and the default cipher when creating new volumes. With version 7.0 the TrueCrypt development team has made good on their longstanding promise of a future release that would leverage hardware-accelerated AES capabilities when present.

The new version also sports a variety of other usability, technical, and security improvements, including a number of convenience features involving Favorite Volumes (a feature I seldom use personally), and hardening of Hibernation File encryption under Windows Vista and 7 in the case that Full Disk Encryption is not in force (which is an ill-chosen configuration anyway). And, support for native volume encryption of floppy disks is dropped, presumably since no one has even seen a working floppy disk in years.

As the major version number increment suggests, this update is highly recommended for all users running previous versions. I’ve updated three systems here at the lab from version 6.3a without issue, although sadly, none of the three have new enough CPUs to do hardware-accelerated AES.

7.0

July 19, 2010

      New features:

• Hardware-accelerated AES (for more information, see the chapter Hardware Acceleration).

  Note: If you want to disable hardware acceleration, select Settings > Performance and disable the option ‘Accelerate AES encryption/decryption by using the AES instructions of the processor‘.

• A volume can now be configured to be automatically mounted whenever its host device gets connected to the computer (provided that the correct password and/or keyfiles are supplied).  (Windows)

  Note: For example, if you have a TrueCrypt container on a USB flash drive and you want to configure TrueCrypt to mount it automatically whenever you insert the USB flash drive into the USB port, follow these steps: 1. Mount the volume. 2. Right-click the mounted volume in the drive list in the main TrueCrypt window and select ‘Add to Favorites‘. 3. The Favorites Organizer window should appear. In it, enable the option ‘Mount selected volume when its host device gets connected‘ and click OK.

  Also note that TrueCrypt will not prompt you for a password if you have enabled caching of the pre-boot authentication password (Settings > ‘System Encryption‘) and the volume uses the same password as the system partition/drive. The same applies to cached non-system volume passwords.

• Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes (Windows, Linux). Note: Previously only file-hosted volumes were supported on such drives.

• Favorite Volumes Organizer (Favorites > ‘Organize Favorite Volumes‘ or ‘Organize System Favorite Volumes‘), which allows you to set various options for each favorite volume. For example, any of them can be mounted upon logon, as read-only or removable medium, can be assigned a special label (which is shown within the user interface instead of the volume path), excluded from hotkey mount, etc. The order in which favorite volumes are displayed in the Favorites Organizer window can be changed and it is the order in which the volumes are mounted (e.g. when Windows starts or by pressing the ‘Mount Favorite Volumes‘ hotkey). For more information, see the chapters Favorite Volumes and System Favorite Volumes.  (Windows)

• The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted. (Windows)

      Security improvements:

• In response to our public complaint regarding the missing API for encryption of Windows hibernation files, Microsoft began providing a public API for encryption of hibernation files on Windows Vista and later versions of Windows (for more information, see the section TrueCrypt 5.1a in this version history). Starting with this version 7.0, TrueCrypt uses this API to encrypt hibernation and crash dump files in a safe documented way. (Windows 7/Vista/2008/2008R2)

  Note: As Windows XP and Windows 2003 do not provide any API for encryption of hibernation files, TrueCrypt has to modify undocumented components of Windows XP/2003 in order to allow users to encrypt hibernation files. Therefore, TrueCrypt cannot guarantee that Windows XP/2003 hibernation files will always be encrypted. Therefore, if you use Windows XP/2003 and want the hibernation file to be safely encrypted, we strongly recommend that you upgrade to Windows Vista or later and to TrueCrypt 7.0 or later. For more information, see the section Hibernation File.  

      Improvements:

• Many minor improvements.  (Windows, Mac OS X, and Linux)

      Bug fixes:

• Minor bug fixes.  (Windows, Mac OS X, and Linux)

      Removed features:

• TrueCrypt no longer supports device-hosted volumes located on floppy disks. Note: You can still create file-hosted TrueCrypt volumes on floppy disks.

The authors dropped a lot more detail in the release notes this time, which is highly appreciated.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

Wikipedia: Advanced Encryption Standard

Wikipedia: AES Instruction Set

Wikipedia: Intel Westmere Architecture

Intel: Advanced Encryption Standard (AES) Instructions Set

First things first: logs do not lie, SSH Scan attacks are on the rise. Attacks occurred with an average frequency in round one of 0.583 per day; in round two there were 1.065 attacks seen per day; and in the round closing, I logged 1.417 attacks per day on average. Considering the total span of time under view as just eight short months, I would describe this escalation in the rate of a rather specialized and esoteric attack as rapid and alarming, and carrying the implication that more commonplace network attacks are likewise intensifying.

On 180 occasions between October 10, 2009 and February 13, 2010, intruders from 154 different IP addresses in 37 different counties were caught trying to gain illicit access to my server by dictionary attacking SSH service. Every one of these attackers was promptly blacklisted automatically by fail2ban. Repeat offenders numbering 16 came back for further punishment, none more frequently than our old friends at 61.129.60.23, “Shanghai Telecom Corporation EDI Branch” in Shanghai, China, familiar from being banned three times in round two – banned six times this round.

China maintained the dubious distinction of leadership position among all regions, chalking up 76 out of the 180 observed attacks or 42% share, consistent with expectations from past rounds. In fact, as the chart below illustrates, all other attack origins besides China occurred at a fraction the rate by comparison, suggesting more or less uniform or “background” frequency for their regions, leaving China dominant alone over all the world. (Better get used to that.)

Meanwhile, Russia and Eastern Europe logged an unexpectedly low share of all attack activity in light of past rounds, picking up only 15 attacks or 8% share. The same chart in earlier rounds showed 20% to 25% aggregate representation from Russia, Poland, and other satellite states of the former USSR – less pronounced than China but significantly greater than other regions. What happened to all the ex-Soviet bloc hackers that were tripping over themselves to break into my unremarkable Linux server prior to October? To tell you the truth, I don’t know. Either some factor caused this region to be spuriously overrepresented in rounds one and two, or some factor caused it to be spuriously underrepresented in round three, or the falloff is real.

China’s continued domination within the network intrusion arena should come as no surprise amid last month’s highly publicized allegations of state-sponsored electronic espionage and cyberwarfare, delivered at the hands of victimized Google. Forensics investigators purport that valuable data was bounced back to attackers through command and control servers in Illinois, Texas, and Taiwan, while Texas-based Rackspace, Inc. – from whose IP block, by the way, we were surreptitiously scanned in both rounds two and three – was specifically implicated. A malicious agent (Chinese or otherwise) that wished to mount attacks against valuable targets and dispose of their tracks after the fact would require to amass networks of such intermediate relays. The wide area network intrusion vector, unlike say, web or file-packaged attack vectors that target the endpoint, conveniently selects for systems that already have desirable open network posture and can act as relays once compromised.

For the record, here is the complete round three log detail:

2009-10-10 17:36:09,708 fail2ban.actions: WARNING [ssh] Ban 118.102.25.161
2009-10-11 08:25:28,208 fail2ban.actions: WARNING [ssh] Ban 218.206.243.243
2009-10-11 12:25:53,248 fail2ban.actions: WARNING [ssh] Ban 60.220.224.103
2009-10-11 13:59:52,288 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-10-12 04:46:43,358 fail2ban.actions: WARNING [ssh] Ban 82.118.208.167
2009-10-13 11:57:10,418 fail2ban.actions: WARNING [ssh] Ban 60.220.224.103
2009-10-13 18:26:40,478 fail2ban.actions: WARNING [ssh] Ban 217.8.80.220
2009-10-13 19:55:50,538 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184
2009-10-14 22:34:40,608 fail2ban.actions: WARNING [ssh] Ban 62.173.39.252
2009-10-15 09:24:09,688 fail2ban.actions: WARNING [ssh] Ban 173.15.102.65
2009-10-15 16:39:16,738 fail2ban.actions: WARNING [ssh] Ban 94.137.254.29
2009-10-16 02:53:34,798 fail2ban.actions: WARNING [ssh] Ban 190.81.28.182
2009-10-16 09:01:21,868 fail2ban.actions: WARNING [ssh] Ban 84.204.138.52
2009-10-16 14:16:53,958 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-10-16 19:28:09,018 fail2ban.actions: WARNING [ssh] Ban 59.52.255.63
2009-10-16 22:20:14,188 fail2ban.actions: WARNING [ssh] Ban 66.152.190.219
2009-10-17 16:13:07,308 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184
2009-10-18 09:58:48,758 fail2ban.actions: WARNING [ssh] Ban 77.247.212.56
2009-10-18 20:25:07,818 fail2ban.actions: WARNING [ssh] Ban 89.238.130.130
2009-10-19 03:53:36,858 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120
2009-10-19 05:42:36,908 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120
2009-10-20 10:28:29,068 fail2ban.actions: WARNING [ssh] Ban 117.21.241.10
2009-10-20 16:01:21,118 fail2ban.actions: WARNING [ssh] Ban 61.7.231.114
2009-10-21 07:34:29,188 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-10-25 13:04:55,820 fail2ban.actions: WARNING [ssh] Ban 89.171.125.198
2009-10-26 21:19:17,889 fail2ban.actions: WARNING [ssh] Ban 210.181.96.27
2009-10-28 17:14:32,199 fail2ban.actions: WARNING [ssh] Ban 202.107.209.33
2009-10-30 12:18:49,389 fail2ban.actions: WARNING [ssh] Ban 210.110.181.56
2009-10-30 14:59:54,429 fail2ban.actions: WARNING [ssh] Ban 125.206.243.126
2009-10-31 07:00:02,499 fail2ban.actions: WARNING [ssh] Ban 61.189.16.37
2009-10-31 10:28:25,539 fail2ban.actions: WARNING [ssh] Ban 203.117.187.184
2009-10-31 22:23:25,590 fail2ban.actions: WARNING [ssh] Ban 110.172.24.28
2009-11-01 05:30:23,639 fail2ban.actions: WARNING [ssh] Ban 202.70.83.100
2009-11-01 10:38:04,129 fail2ban.actions: WARNING [ssh] Ban 210.110.181.56
2009-11-03 17:51:51,289 fail2ban.actions: WARNING [ssh] Ban 121.14.38.200
2009-11-05 03:59:41,419 fail2ban.actions: WARNING [ssh] Ban 174.143.170.13
2009-11-06 07:38:13,519 fail2ban.actions: WARNING [ssh] Ban 74.205.222.26
2009-11-06 09:01:20,583 fail2ban.actions: WARNING [ssh] Ban 124.254.14.153
2009-11-07 09:50:34,689 fail2ban.actions: WARNING [ssh] Ban 87.118.90.17
2009-11-07 20:56:51,779 fail2ban.actions: WARNING [ssh] Ban 209.12.229.206
2009-11-08 21:58:55,190 fail2ban.actions: WARNING [ssh] Ban 72.55.143.45
2009-11-10 09:22:31,309 fail2ban.actions: WARNING [ssh] Ban 121.96.25.101
2009-11-12 08:23:42,439 fail2ban.actions: WARNING [ssh] Ban 78.32.130.35
2009-11-12 10:28:31,480 fail2ban.actions: WARNING [ssh] Ban 222.74.228.158
2009-11-12 19:13:48,539 fail2ban.actions: WARNING [ssh] Ban 67.225.232.40
2009-11-13 13:04:27,619 fail2ban.actions: WARNING [ssh] Ban 119.161.145.162
2009-11-14 05:45:33,690 fail2ban.actions: WARNING [ssh] Ban 210.192.123.204
2009-11-14 23:22:29,769 fail2ban.actions: WARNING [ssh] Ban 124.124.105.235
2009-11-16 03:23:52,249 fail2ban.actions: WARNING [ssh] Ban 58.218.250.111
2009-11-16 04:25:32,299 fail2ban.actions: WARNING [ssh] Ban 67.63.160.133
2009-11-16 23:48:03,369 fail2ban.actions: WARNING [ssh] Ban 202.73.10.176
2009-11-17 08:17:49,419 fail2ban.actions: WARNING [ssh] Ban 63.247.65.146
2009-11-21 06:36:19,900 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-11-22 12:18:36,329 fail2ban.actions: WARNING [ssh] Ban 123.129.212.212
2009-11-22 12:29:21,369 fail2ban.actions: WARNING [ssh] Ban 113.105.0.205
2009-11-22 12:47:04,410 fail2ban.actions: WARNING [ssh] Ban 219.117.253.94
2009-11-22 19:07:10,750 fail2ban.actions: WARNING [ssh] Ban 95.158.128.18
2009-11-23 04:18:06,799 fail2ban.actions: WARNING [ssh] Ban 125.248.158.236
2009-11-23 07:01:50,489 fail2ban.actions: WARNING [ssh] Ban 91.211.117.51
2009-11-23 17:22:21,559 fail2ban.actions: WARNING [ssh] Ban 211.99.150.154
2009-11-24 14:10:56,679 fail2ban.actions: WARNING [ssh] Ban 219.117.221.234
2009-11-24 18:17:00,729 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114
2009-11-25 10:29:50,590 fail2ban.actions: WARNING [ssh] Ban 173.45.92.122
2009-11-25 22:42:42,659 fail2ban.actions: WARNING [ssh] Ban 38.101.67.253
2009-11-26 02:55:26,719 fail2ban.actions: WARNING [ssh] Ban 202.54.54.234
2009-11-27 07:52:13,889 fail2ban.actions: WARNING [ssh] Ban 83.41.203.67
2009-11-27 09:53:04,929 fail2ban.actions: WARNING [ssh] Ban 118.212.129.145
2009-11-27 23:12:00,790 fail2ban.actions: WARNING [ssh] Ban 78.110.167.178
2009-11-28 04:28:26,839 fail2ban.actions: WARNING [ssh] Ban 202.104.148.229
2009-11-29 09:34:55,619 fail2ban.actions: WARNING [ssh] Ban 75.127.173.222
2009-11-30 07:16:06,790 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-12-03 05:08:01,162 fail2ban.actions: WARNING [ssh] Ban 210.48.153.214
2009-12-04 04:42:49,252 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114
2009-12-04 17:56:42,342 fail2ban.actions: WARNING [ssh] Ban 201.0.145.106
2009-12-05 11:35:18,432 fail2ban.actions: WARNING [ssh] Ban 83.83.106.128
2009-12-06 06:23:28,870 fail2ban.actions: WARNING [ssh] Ban 203.94.1.23
2009-12-07 00:48:35,190 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-12-08 22:59:35,280 fail2ban.actions: WARNING [ssh] Ban 121.10.141.118
2009-12-10 03:29:02,420 fail2ban.actions: WARNING [ssh] Ban 210.0.144.109
2009-12-11 21:37:14,490 fail2ban.actions: WARNING [ssh] Ban 218.206.243.243
2009-12-12 00:11:46,530 fail2ban.actions: WARNING [ssh] Ban 78.111.99.186
2009-12-12 02:03:41,570 fail2ban.actions: WARNING [ssh] Ban 78.111.99.186
2009-12-12 08:26:37,610 fail2ban.actions: WARNING [ssh] Ban 187.45.205.140
2009-12-12 10:26:32,660 fail2ban.actions: WARNING [ssh] Ban 148.235.76.114
2009-12-12 13:16:51,700 fail2ban.actions: WARNING [ssh] Ban 219.148.111.179
2009-12-12 15:00:02,740 fail2ban.actions: WARNING [ssh] Ban 212.30.22.69
2009-12-13 08:27:25,780 fail2ban.actions: WARNING [ssh] Ban 58.211.168.252
2009-12-13 14:27:42,850 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181
2009-12-14 04:42:02,920 fail2ban.actions: WARNING [ssh] Ban 74.205.222.27
2009-12-14 14:10:39,960 fail2ban.actions: WARNING [ssh] Ban 221.122.41.60
2009-12-14 16:44:37,000 fail2ban.actions: WARNING [ssh] Ban 201.0.210.186
2009-12-15 08:09:33,070 fail2ban.actions: WARNING [ssh] Ban 202.69.103.98
2009-12-15 16:45:51,110 fail2ban.actions: WARNING [ssh] Ban 221.122.41.60
2009-12-16 17:34:06,180 fail2ban.actions: WARNING [ssh] Ban 202.95.230.4
2009-12-17 09:08:59,230 fail2ban.actions: WARNING [ssh] Ban 201.238.235.11
2009-12-17 15:18:55,280 fail2ban.actions: WARNING [ssh] Ban 121.207.251.81
2009-12-17 16:51:06,320 fail2ban.actions: WARNING [ssh] Ban 195.149.118.43
2009-12-20 09:45:10,750 fail2ban.actions: WARNING [ssh] Ban 62.181.56.206
2009-12-20 15:30:20,792 fail2ban.actions: WARNING [ssh] Ban 124.127.117.20
2009-12-21 08:08:01,850 fail2ban.actions: WARNING [ssh] Ban 208.70.160.43
2009-12-22 13:23:48,920 fail2ban.actions: WARNING [ssh] Ban 196.15.143.106
2009-12-24 23:13:51,130 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102
2009-12-25 02:06:26,180 fail2ban.actions: WARNING [ssh] Ban 124.127.117.20
2009-12-25 04:36:57,220 fail2ban.actions: WARNING [ssh] Ban 122.160.65.107
2009-12-25 09:57:32,270 fail2ban.actions: WARNING [ssh] Ban 59.3.239.114
2009-12-25 16:01:32,330 fail2ban.actions: WARNING [ssh] Ban 81.236.152.229
2009-12-25 20:33:16,390 fail2ban.actions: WARNING [ssh] Ban 59.108.230.130
2009-12-27 00:43:14,470 fail2ban.actions: WARNING [ssh] Ban 117.135.138.183
2009-12-27 14:11:23,840 fail2ban.actions: WARNING [ssh] Ban 59.46.39.204
2009-12-27 15:51:28,920 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102
2009-12-27 18:51:41,960 fail2ban.actions: WARNING [ssh] Ban 118.98.163.214
2009-12-27 22:00:33,010 fail2ban.actions: WARNING [ssh] Ban 212.18.195.102
2009-12-28 00:03:07,070 fail2ban.actions: WARNING [ssh] Ban 118.129.166.120
2009-12-29 05:56:58,230 fail2ban.actions: WARNING [ssh] Ban 195.189.140.82
2009-12-30 05:23:09,290 fail2ban.actions: WARNING [ssh] Ban 96.57.49.213
2009-12-30 12:29:49,360 fail2ban.actions: WARNING [ssh] Ban 200.169.98.50
2010-01-03 07:24:36,982 fail2ban.actions: WARNING [ssh] Ban 72.252.249.10
2010-01-04 04:31:14,050 fail2ban.actions: WARNING [ssh] Ban 222.124.195.2
2010-01-04 14:09:37,100 fail2ban.actions: WARNING [ssh] Ban 174.142.32.175
2010-01-05 16:54:06,150 fail2ban.actions: WARNING [ssh] Ban 201.38.138.2
2010-01-06 15:10:48,210 fail2ban.actions: WARNING [ssh] Ban 123.129.202.199
2010-01-07 03:20:17,270 fail2ban.actions: WARNING [ssh] Ban 89.140.94.122
2010-01-07 06:16:27,310 fail2ban.actions: WARNING [ssh] Ban 222.45.235.74
2010-01-08 21:30:04,440 fail2ban.actions: WARNING [ssh] Ban 60.212.42.11
2010-01-09 07:05:34,480 fail2ban.actions: WARNING [ssh] Ban 93.180.91.254
2010-01-09 08:21:17,520 fail2ban.actions: WARNING [ssh] Ban 222.73.68.164
2010-01-11 23:49:38,910 fail2ban.actions: WARNING [ssh] Ban 84.38.18.74
2010-01-12 07:08:27,950 fail2ban.actions: WARNING [ssh] Ban 58.22.102.169
2010-01-13 12:36:45,020 fail2ban.actions: WARNING [ssh] Ban 63.208.120.229
2010-01-15 08:22:30,220 fail2ban.actions: WARNING [ssh] Ban 119.161.144.182
2010-01-15 11:51:12,260 fail2ban.actions: WARNING [ssh] Ban 61.82.144.2
2010-01-15 19:21:04,340 fail2ban.actions: WARNING [ssh] Ban 62.101.89.125
2010-01-16 05:19:15,380 fail2ban.actions: WARNING [ssh] Ban 189.114.59.200
2010-01-16 22:46:29,450 fail2ban.actions: WARNING [ssh] Ban 222.73.68.164
2010-01-17 06:28:36,490 fail2ban.actions: WARNING [ssh] Ban 218.241.173.35
2010-01-17 15:13:26,110 fail2ban.actions: WARNING [ssh] Ban 203.240.201.98
2010-01-18 10:19:51,190 fail2ban.actions: WARNING [ssh] Ban 222.208.183.21
2010-01-19 06:55:38,270 fail2ban.actions: WARNING [ssh] Ban 212.13.197.42
2010-01-19 09:14:51,340 fail2ban.actions: WARNING [ssh] Ban 190.81.104.28
2010-01-19 10:21:33,390 fail2ban.actions: WARNING [ssh] Ban 59.37.54.48
2010-01-22 02:15:50,540 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181
2010-01-22 21:30:19,662 fail2ban.actions: WARNING [ssh] Ban 81.10.208.178
2010-01-23 00:58:29,702 fail2ban.actions: WARNING [ssh] Ban 213.154.72.72
2010-01-23 03:52:43,742 fail2ban.actions: WARNING [ssh] Ban 77.92.148.23
2010-01-23 06:21:06,782 fail2ban.actions: WARNING [ssh] Ban 189.1.164.92
2010-01-23 14:13:19,822 fail2ban.actions: WARNING [ssh] Ban 59.108.53.212
2010-01-23 14:35:03,862 fail2ban.actions: WARNING [ssh] Ban 60.28.183.156
2010-01-24 05:49:56,932 fail2ban.actions: WARNING [ssh] Ban 60.217.32.137
2010-01-24 10:16:58,352 fail2ban.actions: WARNING [ssh] Ban 75.141.200.176
2010-01-24 11:33:19,392 fail2ban.actions: WARNING [ssh] Ban 119.6.126.2
2010-01-24 17:31:13,442 fail2ban.actions: WARNING [ssh] Ban 140.128.101.230
2010-01-25 07:03:13,492 fail2ban.actions: WARNING [ssh] Ban 210.175.111.28
2010-01-25 15:33:13,562 fail2ban.actions: WARNING [ssh] Ban 58.19.182.194
2010-01-26 20:07:46,702 fail2ban.actions: WARNING [ssh] Ban 124.30.230.147
2010-01-27 16:22:59,812 fail2ban.actions: WARNING [ssh] Ban 222.195.137.249
2010-01-28 01:56:26,862 fail2ban.actions: WARNING [ssh] Ban 125.210.34.228
2010-01-28 23:00:18,942 fail2ban.actions: WARNING [ssh] Ban 218.106.96.230
2010-01-31 05:46:58,522 fail2ban.actions: WARNING [ssh] Ban 84.235.124.106
2010-02-01 23:58:00,332 fail2ban.actions: WARNING [ssh] Ban 220.227.125.100
2010-02-02 13:05:46,423 fail2ban.actions: WARNING [ssh] Ban 219.153.34.206
2010-02-03 15:00:05,513 fail2ban.actions: WARNING [ssh] Ban 119.93.16.36
2010-02-05 02:46:58,261 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2010-02-07 04:34:23,998 fail2ban.actions: WARNING [ssh] Ban 121.37.58.49
2010-02-07 06:29:54,038 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43
2010-02-07 06:38:07,398 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43
2010-02-07 22:15:53,889 fail2ban.actions: WARNING [ssh] Ban 84.235.124.106
2010-02-08 06:07:42,929 fail2ban.actions: WARNING [ssh] Ban 111.73.45.211
2010-02-08 09:47:12,989 fail2ban.actions: WARNING [ssh] Ban 124.74.243.79
2010-02-08 18:52:28,039 fail2ban.actions: WARNING [ssh] Ban 222.124.195.2
2010-02-09 04:50:38,079 fail2ban.actions: WARNING [ssh] Ban 124.207.40.151
2010-02-10 04:13:38,149 fail2ban.actions: WARNING [ssh] Ban 221.195.68.74
2010-02-10 09:54:07,209 fail2ban.actions: WARNING [ssh] Ban 118.129.153.43
2010-02-10 14:55:55,259 fail2ban.actions: WARNING [ssh] Ban 98.117.120.78
2010-02-11 02:35:12,319 fail2ban.actions: WARNING [ssh] Ban 218.3.88.114
2010-02-11 08:59:15,361 fail2ban.actions: WARNING [ssh] Ban 58.216.152.134
2010-02-11 18:45:17,407 fail2ban.actions: WARNING [ssh] Ban 121.34.248.1
2010-02-11 21:37:00,447 fail2ban.actions: WARNING [ssh] Ban 193.192.238.10
2010-02-11 23:13:16,487 fail2ban.actions: WARNING [ssh] Ban 122.129.241.73
2010-02-12 03:25:44,537 fail2ban.actions: WARNING [ssh] Ban 220.90.134.2
2010-02-13 16:45:00,627 fail2ban.actions: WARNING [ssh] Ban 116.28.64.181

Who is at risk from this hacking activity? Service providers have the most direct exposure and should think long and hard about their perimeter defenses. Weak passwords on any WAN-facing service are an open invite to compromise. The most diligently patched, up to date system will get taken down in an instant on bad password security (as in this example), though in that case the intruder probably won’t be able to gain root. Risk analysis used to be predicated upon the dollar value of data on the host – e.g., Ann’s knitting store site merited less intrusion protection than a large merchant site server or a banking web application. In the new threat environment where every shell compromise might well be one hop away from a national security breach, can system administrators continue to be so lax?

Resources

Wikipedia: Operation Aurora

Wired: Threat Level – Google Attack Details

SecurityFocus Infocus: Responding to a Brute Force SSH Attack

NYT: Google, Citing Cyber Attack, Threatens to Exit China

Google threatened late Tuesday to pull out of its operations in China after it said it had uncovered a massive cyber attack on its computers that originated there.

As a result, the company said, it would no longer agree to censor its search engine in China and may exit the country altogether.

Google said that a primary goal of the attackers was accessing the Gmail accounts of Chinese human right activists, but that the attack also targeted 20 other large companies…

“We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China,” …adding that the decision was being driven by executives in the United States, “without the knowledge or involvement of our employees in China.”

Google did not publicly link the Chinese government to the cyber attack, but people with knowledge of Google’s investigation said they had enough evidence to justify its actions.

34 companies were targeted… The attacks came from Taiwanese Internet addresses… stolen documents were sent electronically to a server controlled by Rackspace, based in San Antonio.

The official statement from the Google Legal chief comes short of, but leaves no mistaking, that these intrusions were definitively determined to be PRC state-sponsored activity, although originating from Taiwanese IPs.

WSJ: Google Warns of China Exit Over Hacking

Google Inc. said it may leave China after an investigation found the company had been hit with major cyber attacks it believes originated from the country…

Investigators are probing whether the attack is linked to the Chinese government or intelligence services… The attack has piqued the interest of U.S. intelligence agencies, including the National Security Agency…

For Google to withdraw from China would be an extremely rare repudiation by a Western company of what is almost universally seen in big business as one of the world’s most important markets. Even the public suggestion that it is considering such a move is likely to infuriate Chinese authorities.

Google said… it was making its move because it detected a “highly sophisticated and targeted attack on our corporate infrastructure originating from China” in mid-December. Google said the attack resulted in “the theft of intellectual property from Google.”

The perpetrators launched the attacks from at least six Internet addresses located in Taiwan, which is a common strategy used by Chinese hackers to mask their origin… The attackers used at least seven different types of attack code…

I’ve been harping on the phenomenon of Chinese cybercriminals, but of course Chinese cybersoldiers are just the flip-side of the same coin.

Now at least we know why Chinese hackers want in to my SSH server so bad… for use in mounting distributed attacks against Gmail.

I think Google will turn more conciliatory in the coming days to save face and their high growth revenue interests, but we are surely witnessing what will go down in socio/military/political history books as one of the more pronounced, and certainly most publicly visible, opening volleys on the cyberwarfare front.

Resources

NYT: Google, Citing Cyber Attack, Threatens to Exit China

WSJ: Google Warns of China Exit Over Hacking

Wikipedia: Cyberwarfare

6.3a

November 23, 2009

      Improvements and bug fixes:

• Minor improvements and bug fixes.  (Windows, Mac OS X, and Linux)

Such glaring lack of detail in the release notes leaves upgraders unable to ascertain whether the newest fixes do or do not apply to their installations. I have complained about the lack of transparency before though, so I guess the developers have not dropped by. Are there performance improvements, security fixes, new features, or all of the above? Do they apply only to a specific architecture, or everyone? TrueCrypt: your users need to know these things.

In any event I will perform the upgrade to 6.3a on my affected systems for the sake of keeping current.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

6.3

October 21, 2009

      New features:

• Full support for Windows 7.

• Full support for Mac OS X 10.6 Snow Leopard.

• The ability to configure selected volumes as ’system favorite volumes’. This is useful, for example, when you have volumes that need to be mounted before system and application services start and before users start logging on. It is also useful when there are network-shared folders located on a TrueCrypt volume and you need to ensure that the network shares will be restored by the system each time it is restarted. For more information, see the chapter ‘Main Program Window‘, section ‘Program Menu‘, subsection ‘Volumes -> Save Currently Mounted Volumes as Favorite‘ in the documentation. (Windows)

      Improvements and bug fixes:

• ‘Favorite’ volumes residing within partitions or dynamic volumes will no longer be affected by changes in disk device numbers, which may occur, e.g., when a drive is removed or added.  (Windows)

• Many other minor improvements and bug fixes.  (Windows, Mac OS X, and Linux)

The release notes always say “Many other minor improvements and bug fixes.” For once I would like to know what exactly the improvements and bugfixes include in detail. If there’s one complaint I have about TrueCrypt it’s lack of transparency from the developers.

The in situ version update procedure is fairly trivial, overwriting the installed version of the application and rewriting an updated boot loader in the case of Full Disk Encryption. The end-to-end drive encryption pass does not have to be run again (a common concern). It is recommended (not enforced, but highly advisable) to burn an updated rescue CD for FDE systems since the boot loader has changed – I always do.

If you don’t already have Full Disk Encryption on your portable laptop / notebook / netbook computers, this fresh release presents an excellent opportunity to get serious about data theft prevention and fortify your security posture. I offer full service TrueCrypt Full Disk Encryption installation for those who are most comfortable having an expert perform the procedure using streamlined tools. Contact me for information.

Resources

TrueCrypt Homepage

TrueCrypt Release Notes

TrueCrypt Download Latest Stable Version

2009-08-23 09:21:13,847 fail2ban.actions: WARNING [ssh] Ban 218.32.80.168
2009-08-23 14:44:24,907 fail2ban.actions: WARNING [ssh] Ban 62.60.136.145
2009-08-24 08:49:00,997 fail2ban.actions: WARNING [ssh] Ban 93.186.192.46
2009-08-31 06:14:55,887 fail2ban.actions: WARNING [ssh] Ban 190.2.57.137
2009-08-31 15:14:19,937 fail2ban.actions: WARNING [ssh] Ban 121.78.237.148
2009-09-03 20:00:12,137 fail2ban.actions: WARNING [ssh] Ban 211.157.108.140
2009-09-03 20:19:31,177 fail2ban.actions: WARNING [ssh] Ban 211.157.108.140
2009-09-04 14:39:30,267 fail2ban.actions: WARNING [ssh] Ban 219.143.251.37
2009-09-05 05:46:46,337 fail2ban.actions: WARNING [ssh] Ban 201.27.1.91
2009-09-05 17:51:28,387 fail2ban.actions: WARNING [ssh] Ban 193.194.69.164
2009-09-05 20:02:32,427 fail2ban.actions: WARNING [ssh] Ban 98.124.82.222
2009-09-07 06:33:02,187 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-09-08 16:17:26,277 fail2ban.actions: WARNING [ssh] Ban 219.134.242.67
2009-09-09 22:49:12,367 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-09-10 04:44:55,447 fail2ban.actions: WARNING [ssh] Ban 222.68.194.69
2009-09-10 16:36:47,517 fail2ban.actions: WARNING [ssh] Ban 124.128.93.118
2009-09-11 06:06:07,627 fail2ban.actions: WARNING [ssh] Ban 93.152.158.26
2009-09-13 08:33:49,037 fail2ban.actions: WARNING [ssh] Ban 212.72.132.166
2009-09-13 14:39:57,127 fail2ban.actions: WARNING [ssh] Ban 208.94.173.137
2009-09-14 10:34:19,207 fail2ban.actions: WARNING [ssh] Ban 12.120.201.208
2009-09-15 12:06:46,279 fail2ban.actions: WARNING [ssh] Ban 118.102.25.161
2009-09-16 03:46:53,866 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-09-16 15:27:42,936 fail2ban.actions: WARNING [ssh] Ban 211.242.211.44
2009-09-17 11:52:43,066 fail2ban.actions: WARNING [ssh] Ban 174.143.214.143
2009-09-18 03:06:10,136 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-09-18 09:28:54,176 fail2ban.actions: WARNING [ssh] Ban 202.65.129.106
2009-09-18 13:58:47,216 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-09-19 21:27:59,326 fail2ban.actions: WARNING [ssh] Ban 218.206.27.9
2009-09-22 09:32:49,806 fail2ban.actions: WARNING [ssh] Ban 118.213.88.7
2009-09-22 14:17:04,846 fail2ban.actions: WARNING [ssh] Ban 81.200.21.26
2009-09-23 06:10:49,936 fail2ban.actions: WARNING [ssh] Ban 72.249.66.204
2009-09-24 07:05:45,006 fail2ban.actions: WARNING [ssh] Ban 117.41.168.90
2009-09-25 17:23:18,136 fail2ban.actions: WARNING [ssh] Ban 117.135.9.34
2009-09-27 04:08:28,236 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-09-27 09:28:05,586 fail2ban.actions: WARNING [ssh] Ban 122.200.82.161
2009-09-27 11:13:12,626 fail2ban.actions: WARNING [ssh] Ban 61.152.95.172
2009-09-28 12:08:31,696 fail2ban.actions: WARNING [ssh] Ban 60.251.154.27
2009-09-28 19:05:32,746 fail2ban.actions: WARNING [ssh] Ban 217.24.240.88
2009-09-29 09:10:07,806 fail2ban.actions: WARNING [ssh] Ban 204.124.181.80
2009-09-30 02:53:46,886 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-10-04 00:38:25,096 fail2ban.actions: WARNING [ssh] Ban 202.106.124.227
2009-10-04 04:24:24,136 fail2ban.actions: WARNING [ssh] Ban 89.43.80.249
2009-10-04 08:34:45,546 fail2ban.actions: WARNING [ssh] Ban 212.50.27.194
2009-10-05 05:14:35,673 fail2ban.actions: WARNING [ssh] Ban 58.61.149.213
2009-10-05 21:58:46,756 fail2ban.actions: WARNING [ssh] Ban 95.156.204.6
2009-10-06 10:57:48,836 fail2ban.actions: WARNING [ssh] Ban 124.116.26.6
2009-10-06 18:30:14,906 fail2ban.actions: WARNING [ssh] Ban 82.226.213.131
2009-10-07 08:40:50,956 fail2ban.actions: WARNING [ssh] Ban 91.187.129.20
2009-10-07 09:46:52,006 fail2ban.actions: WARNING [ssh] Ban 203.92.35.148

Attackers certainly got down to business, attacking 49 times over the course of 46 days, a 75% increase in attack volume over the previous period of like duration. Attacks originated from 43 different hosts, three of which were repeat offenders. Host address 80.48.178.2 topped the “serial offender” category, getting banned four times in a 23 day window. Host address 61.129.60.23 got banned three times in a 19 day window.

Turning to the Whois registries for the geographic locations of our new friends, we find:

IP address        Registry    Registrant, Location
218.32.80.168     APNIC       New Centry InfoComm, Taipei, Taiwan
62.60.136.145     RIPE        Iranian Research Org Sci/Tech, Tehran, Iran
93.186.192.46     RIPE        Fast IT GmbH, Dusseldorf, Germany
190.2.57.137      LACNIC      NSS S.A., Buenos Aires, Argentina
121.78.237.148    APNIC       Kinx Inc, Seoul, South Korea
211.157.108.140   APNIC       Chinacomm, Beijing, China
219.143.251.37    APNIC       Jewim Pharmaceutical Inc, Beijing, China
201.27.1.91       LACNIC      Telecom De Sao Paulo S.A., Sao Paulo, Brazil
193.194.69.164    AfriNIC     Research Ctr Sci/Tech Info, Algiers, Algeria
98.124.82.222     ARIN        Home Telephone Co Inc, Moncks Corner, SC, USA
80.48.178.2       RIPE        ART-COM s.c., Kamiensk, Poland
219.134.242.67    APNIC       "Big Customer Department", Guangzhou, China
61.129.60.23      APNIC       Shanghai Tel Corp EDI Branch, Shanghai, China
222.68.194.69     APNIC       China Telecom, Shanghai Province, China
124.128.93.118    APNIC       Jinan Xinyueliang Net Bar, Shandong Prv, China
93.152.158.26     RIPE        OnlineDirect, Sofia, Bulgaria
212.72.132.166    RIPE        Sa*Net Network, Tbilisi, Georgia
208.94.173.137    ARIN        Carrier Connex Inc, Toronto, Ontario, Canada
12.120.201.208    ARIN        AT&T WorldNet Services, Morristown, NJ, USA
118.102.25.161    APNIC       Langfang Univ Devlpmt Area, Hebei Prv, China
211.242.211.44    APNIC       Dreamline Co, Seoul, South Korea
174.143.214.143   ARIN        Rackspace/Slicehost, San Antonio, TX, USA
202.65.129.106    APNIC       Pioneer Online Pvt Ltd, Hyderabad, India
218.206.27.9      APNIC       China Mobile, Chongqing, China
118.213.88.7      APNIC       Xi Ning Telecom, QingHai Province, China
81.200.21.26      RIPE        SU29 Telecom, Moscow, Russia
72.249.66.204     ARIN        Colo4Dallas/RimuHosting, Dallas, TX, USA
117.41.168.90     APNIC       China Telecom, Jiangxi Province, China
117.135.9.34      APNIC       China Mobile, Beijing, China
122.200.82.161    APNIC       HeJu ShuZi Telecom Engg, Beijing, China
61.152.95.172     APNIC       China Telecom, Shanghai Province, China
60.251.154.27     APNIC       Chunghwa Telecom, Taipei, Taiwan
217.24.240.88     RIPE        Albtelecom Sh.a., Tirana, Albania
204.124.181.80    ARIN        VolumeDrive, Clarks Summit, PA, USA
202.106.124.227   APNIC       China Unicom, Beijing, China
89.43.80.249      RIPE        Sc Century Net SRL, Suceava, Romania
212.50.27.194     RIPE        ProGroup BG, Rousse, Bulgaria
58.61.149.213     APNIC       China Telecom, Guangdong Province, China
95.156.204.6      RIPE        Weblino.de, Polch, Germany
124.116.26.6      APNIC       China Telecom, Shanxi Province, China
82.226.213.131    RIPE        Proxad / Free SAS, Paris, France
91.187.129.20     RIPE        Bolnica Valjevo, Belgrade, Serbia
203.92.35.148     APNIC       Spectranet, New Delhi, India

To reiterate, the named registrants are network owners and operators, usually local ISPs, who are non-complicit bystanders in this hackery and do not represent the attackers themselves. (But a few do have hilarious names. E.g., Please hold while I transfer you to “Big Customer Department”.)

Finally, the results:

The trend from last time remains intact: Attacks tend to originate from the bustling cybercrime industries of China, Russia, and the environs of Eastern Europe a.k.a. the former Soviet bloc, arriving from these zones roughly two-thirds of the time. Highlighting the trend, our 4x serial attacker was located in Poland, and our 3x serial attacker in Shanghai.

Something bothered me about this analysis: What if some originating hosts were themselves drone systems, previously compromised by a hacker in an entirely different zone from their given location, mounting intrusion attempts through them from a posture of indirection. Could this throw off the results? Thinking about it, I concluded that while definitely present, it cuts both ways. Attackers in China could be one hop behind attacks appearing to originate from the USA, just as well as attackers from the USA could be one hop behind attacks appearing to originate from Russia, just as well as attackers from Zimbabwe could be one hop behind attacks appearing to originate from Germany, etc. On balance, we may assume these effects cancel each other out. What’s more, if attackers are geographically concentrated, and an indirection effect is present, it would tend to skew the data away from the concentrations, implying that attackers are even more strongly concentrated than first inferred.

I noticed a number of users discussing this same trend on various blogs and security forums have taken this finding and run with it, and blocked, for example, the entire .ru country code from their network. Aggressive, but questionably effective, and not something I practice… but an example of countermeasures one could mount.

If you have exposure to the wide area network, and you prefer not to have your personal and customer data breached, your systems defaced and your ability to do business interrupted, it is crucial to mitigate your risk to network intrusion, and many other salient security risks, with appropriate countermeasures. I can show you techniques for preventing attackers from breaking in to your systems. Don’t wait until the damage is done!

Resources

Wikipedia: WHOIS

ARIN Whois Lookup

APNIC Whois Lookup

RIPE Whois Lookup

LACNIC Whois Lookup

AfriNIC Whois Lookup

2009-07-06 19:41:21,425 fail2ban.actions: WARNING [ssh] Ban 83.15.85.210
2009-07-08 13:48:43,565 fail2ban.actions: WARNING [ssh] Ban 87.229.101.170
2009-07-10 10:59:36,625 fail2ban.actions: WARNING [ssh] Ban 211.155.227.18
2009-07-14 00:12:49,866 fail2ban.actions: WARNING [ssh] Ban 202.109.242.18
2009-07-16 05:14:16,456 fail2ban.actions: WARNING [ssh] Ban 89.207.64.170
2009-07-17 01:34:32,566 fail2ban.actions: WARNING [ssh] Ban 91.83.48.226
2009-07-17 06:47:01,616 fail2ban.actions: WARNING [ssh] Ban 202.96.199.150
2009-07-21 04:22:42,195 fail2ban.actions: WARNING [ssh] Ban 80.190.191.124
2009-07-21 06:33:19,415 fail2ban.actions: WARNING [ssh] Ban 200.52.194.36
2009-07-25 00:26:18,623 fail2ban.actions: WARNING [ssh] Ban 222.68.194.69
2009-07-26 00:20:16,743 fail2ban.actions: WARNING [ssh] Ban 222.68.194.69
2009-07-27 22:43:14,553 fail2ban.actions: WARNING [ssh] Ban 80.88.248.30
2009-07-28 13:54:37,653 fail2ban.actions: WARNING [ssh] Ban 72.44.174.162
2009-07-29 01:52:28,733 fail2ban.actions: WARNING [ssh] Ban 218.16.224.203
2009-07-29 19:41:58,923 fail2ban.actions: WARNING [ssh] Ban 125.208.3.9
2009-07-30 13:39:40,597 fail2ban.actions: WARNING [ssh] Ban 94.89.83.58
2009-08-01 09:57:49,727 fail2ban.actions: WARNING [ssh] Ban 80.86.201.29
2009-08-02 06:38:09,777 fail2ban.actions: WARNING [ssh] Ban 173.45.241.236
2009-08-02 14:47:14,147 fail2ban.actions: WARNING [ssh] Ban 124.124.9.43
2009-08-07 23:35:22,597 fail2ban.actions: WARNING [ssh] Ban 202.109.242.18
2009-08-12 20:06:36,877 fail2ban.actions: WARNING [ssh] Ban 222.242.186.83
2009-08-13 19:01:42,967 fail2ban.actions: WARNING [ssh] Ban 85.115.100.144
2009-08-13 22:27:14,007 fail2ban.actions: WARNING [ssh] Ban 98.112.35.38
2009-08-14 01:32:15,057 fail2ban.actions: WARNING [ssh] Ban 219.237.197.158
2009-08-14 09:31:25,117 fail2ban.actions: WARNING [ssh] Ban 81.200.21.26
2009-08-16 12:12:31,627 fail2ban.actions: WARNING [ssh] Ban 221.233.134.124
2009-08-20 19:50:08,877 fail2ban.actions: WARNING [ssh] Ban 202.107.209.35
2009-08-22 12:20:31,127 fail2ban.actions: WARNING [ssh] Ban 115.108.25.2

That’s 28 attacks over the course of 48 days, originating from 26 different hosts (two were repeat offenders).

Digging through the regional Whois registries, we can discover the geographic locations of the network segments on which these remote IP addresses were assigned, and the names of the network operators:

IP address        Registry    Registrant, Location
83.15.85.210      RIPE        Bielany Wroclawskie, Warsaw, Poland
87.229.101.170    RIPE        Polgarhaz Holding Kft., Budapest, Hungary
211.155.227.18    APNIC       Netli.lic., Hangzhou, China
202.109.242.18    APNIC       China Telecom, Fujian Province, China
89.207.64.170     RIPE        Joint Stock Company Svyazist, Kstovo, Russia
91.83.48.226      RIPE        Inest Hosting, Szeged, Hungary
202.96.199.150    APNIC       China Telecom, Shanghai Province, China
80.190.191.124    RIPE        IP Exchange GmbH, Nuremberg, Germany
200.52.194.36     LACNIC      MegaCable SA de CV, Guadalajara, Mexico
222.68.194.69     APNIC       China Telecom, Shanghai Province, China
80.88.248.30      RIPE        2Connect WLL, Manama, Bahrain
72.44.174.162     ARIN        ATX Telecom Services, King Of Prussia, PA, USA
218.16.224.203    APNIC       China Telecom, Guangdong Province, China
125.208.3.9       APNIC       Beijing Primezone Technologies, Beijing, China
94.89.83.58       RIPE        Tendensia SRL, Castellaneta, Italy
80.86.201.29      RIPE        Green.ch AG, Brugg, Switzerland
173.45.241.236    ARIN        Slicehost LLC, St. Louis, MO, USA
124.124.9.43      APNIC       Reliance Communications Ltd, Mumbai, India
222.242.186.83    APNIC       China Telecom, Hunan Province, China
85.115.100.144    RIPE        Sia "Pronets", Riga, Latvia
98.112.35.38      ARIN        Verizon DSL, San Fernando, CA, USA
219.237.197.158   APNIC       Jin'Ou Building, Beijing, China
81.200.21.26      RIPE        SU29 Telecom, Moscow, Russia
221.233.134.124   APNIC       China Telecom, Hubei Province, China
202.107.209.35    APNIC       Ningbo Education Science Ctr, Zhejiang, China
115.108.25.2      APNIC       TATA Communications, Mumbai, India

The named registrants are network owners and operators, usually local ISPs, who of course represent non-complicit intermediaries and not the attackers themselves. But these records do accurately reflect the geographic locations of the remote hosts from which the intrusion attempts originated. The listed country, at a minimum, is very reliable; IP geolocation by country with Whois should be over 95% accurate.

There’s no mistaking that these attacks tend to originate from China and the former Soviet bloc. These areas are home to bustling cybercrime industries. Attackers seek to expose financial accounts presumed stored on servers, or to commandeer staging grounds for use in the infiltration of other lucrative targets.

This is just a tiny sample of all attack activity, being just one sensor on one port, on one host, on one network segment of the great wide internet that hackers direct their tools against. Attacks of this type and others, many of which are much more commonplace than SSH scans, originate from this same geographical profile.

How are you defending your network and data from these threats? Do you know about techniques for reducing your exposure? Let’s talk.

Resources

fail2ban Homepage

Wikipedia: WHOIS

ARIN Whois Lookup

APNIC Whois Lookup

RIPE Whois Lookup

LACNIC Whois Lookup

China: Hacker Schools Become Big Business

China View: Training for hackers stirs worry about illegal actions

BlackHat USA 2009: Russian’s Organized Crime Heritage Paved Way For Cybercrime

Why encrypt a CD? Well, think of it this way: You take a good deal of trouble to protect the data on your computer from disclosure, using access controls like login passwords, software countermeasures to protect against infection and intrusion, maybe you have even followed my advice and implemented Full Disk Encryption. Suppose, though, that you then burn some important documents (lets say financial, tax, or customer records or the blueprints to a sensitive project) from your carefully protected computer to a plain old data CD. You place it on your desk, or in a spindle in a drawer, or in your car, or in a box to take to the post office. Later, when you’re not looking, a bad guy snatches this CD and makes off with it. Just like that, he has unrestricted access to its contents without ever having to defeat any defenses. This is a wide open security gap.

Encrypted CDs close this gap in an airtight way. They are effective against the risk of general theft from the premises, the risk of interception in transport, the risk of disclosure to an untrusted agent in a bailment situation as when data vaulting, the risk of corporate espionage, jealous lovers, the IRS, you name it. Whoever snags it will be the proud new owner of a nice pile of random data that, unless they have 5,000 years and a supercomputer, is totally opaque to them.

Secure portable storage media may even be required for regulatory compliance in many contexts, as when storing sensitive customer data such as Social Security Numbers, credit card numbers, or health records. Data breaches in military, public, and commercial sectors have increasingly been making headlines. Regulatory authorities in Nevada and Massachusetts just passed laws requiring the mandatory encryption of Social Security numbers, bank account numbers, and credit card numbers when carried on portable storage devices like flash drives, setting a precedent that will likely see legislation nationwide.

How to make an encrypted CD

The gist of the procedure is to create an encrypted file-container volume with TrueCrypt that is just slightly less than the size of the target media. I use a 695MB .tc container filesize for a 700MB CD-R. (You could choose a similar container filesize for a 4.7GB single layer DVD-R or 8.5GB dual layer DVD-R). The extra margin of 5MB is used to add some AutoRun machinery to the CD so that when the finished disk is inserted, Windows shell takes you right into password entry for mounting the encapsulated volume.

1. Create an encrypted file-container volume on disk

1. Open TrueCrypt and start the Volume Creation Wizard by clicking “Create Volume”
2. Choose the default “Create an encrypted file container”
3. Choose the default “Standard TrueCrypt volume”
4. Specify a scratch path where you have sufficient space to hold the 695MB container file. A scratch partition is ideal for this. Make up a filename of your choice, I usually name it contents.tc or [yyyymmdd].tc. For the purposes of this example let’s name it contents.tc
5. For Encryption Options the default algorithms are fine unless you care to change them
6. Enter a volume size of 695MB



7. Specify a password, pick a good one
8. The documentation says Windows has problems with NTFS on read-only media, but I’ve never had a problem and always choose NTFS
9. Move the mouse around to populate the Random Pool, then finally click “Format” to create the container file
10. Writing of the container file shouldn’t take too long, seconds to a minute depending on your system, then you can exit

2. Mount the file-container volume and copy your content into it

1. Open the container file you just created, contents.tc, for mounting with TrueCrypt. If you named it with a .tc extension a shell association exists and you can just double-click on it to be taken right into TrueCrypt with it already selected as the volume file.
2. An available drive letter should already be selected. Click “Mount” and enter your password to mount the encrypted volume as that virtual drive.
3. You can now open that drive letter and populate it with content, whatever is the target data that will be going on the CD. Remember that the drive has a 695MB capacity.
4. When done, dismount the volume from TrueCrypt using the “Dismount” button.

3. For a convenient and elegant touch, use TrueCrypt’s Traveler Disk Setup utility to generate some AutoRun machinery that will start automatically when the finished disk is inserted

1. Start the utility from TrueCrypt > “Tools” menu > “Traveler Disk Setup…”
2. For “Create traveler disk files at (traveler disk root directory)” box, browse for and locate the scratch path you used in step 1 above, the path where the container file resides
3. Uncheck “Include TrueCrypt Volume Creation Wizard”, you don’t need it for this use case
4. Under AutoRun Configuration choose “Auto-mount TrueCrypt volume (specified below)”
5. For “TrueCrypt volume to mount (relative to traveler disk root)” box, browse for and locate the container file itself
6. “Open Explorer window for mounted volume” should already be checked



7. Finally, click “Create” to generate the AutoRun components. Traveler Disk Setup quickly creates a folder named TrueCrypt with a little bit of plumbing and a file named autorun.inf in the target path, then you can close out of the utility

4. Burn the CD

1. Using CD burning software of your choice (I use Nero, but use whatever you have on your machine) create a new Data CD (ISO) compilation
2. Place the following files into it: contents.tc, autorun.inf, and the TrueCrypt folder
3. Notice importantly what is happening: You are burning the container – not its encapsulated contents – and the AutoRun machinery to media
4. Burn the compilation to blank media, label it, and test it

Upon insertion to a computer with AutoPlay enabled, this CD should now prompt you for the password, mount the encrypted volume automatically to an available drive letter, and open an Explorer window to that drive. And because its runtime components are packaged on the disk, it will work even on a machine that doesn’t have TrueCrypt natively installed.

Many security conscious users (myself included) disable AutoPlay because it poses something of a security risk; in this case, you can still mount contents.tc the long way, using TrueCrypt’s main dialog, you just sacrifice some convenience.

The developers of TrueCrypt have remarked that they plan to add support for Raw CD/DVD volumes in a future release, which ought to further simplify this procedure.

Stay tuned to this space for Part 2: Encrypted USB Memory Sticks, where I plan to share a very useful nested AutoRun technique.

Resources

TrueCrypt Homepage

TrueCrypt Traveler Mode

Wikipedia: AutoRun

Extent of identity theft and data breaches largely hidden

Mass 201 CMR 17: A Survival Guide for the Anxious

Mass 201 CMR 17: The Darkness and the Light

I suppose some may, to varying degrees, not think it’s such a bad thing to have products and services offered to them that they might be interested in. But I know enough about the operators in the internet advertising space, their business ethics, and their armies of hackers ploying their ploys to be completely sickened by the idea that these organizations maintain lengthy, detailed, all but personally identifiable profiles of my web browsing habits. There is a contentious debate going on right now about the extent to which some policies and practices, on the part of some major entities like Facebook and Microsoft and Google in fact, are or are not in violation of (woefully insufficient) consumer protection laws. While all this is being sorted out, the profile they’ve got on you keeps growing, every day, every time you visit a site or fire up a search box.

Flatly, I do not care for being bombarded by advertisements, in any medium. I do not care for their cliches and their stereotypes and their lies. The secret to losing weight? Don’t want to know. Generic viagra? No thanks. Billy Mays frantically waving his hands? How about no. I think billboards cause excessive blight. I believe pharmaceutical corporations should be prohibited by law from any form of advertising and that doctors should be making those decisions for their patients, not the other way around. But I digress.

There is a certain amount of unavoidable leakage. The legitimate uses of web applications demand forking over certain details. (And what they can and cannot do with those details is the aforementioned area of contentious debate.) For instance, Facebook isn’t very useful if you don’t tell them your locale, and probably your age and gender, and maybe what school you went to. They unabashedly target advertising against all those factors, as is plain to see. There is also a certain amount of trickery that goes on involving browser bugs. The armies of hackers that work for the enemy are quite sinister, in fact, and consistently one step ahead of the armies of hackers that work for the security software companies. To wit, the ad-blocking component of a major retail internet security suite that I will not name by name was apparently dropped after several years of fighting the good fight; someone must have decided it wasn’t worth the bother any more. Then there is the oft indicated, inescapable, technically required for communication at all, numeric IP address which rarely changes even when dynamically assigned by your ISP. Though there are tools like Tor that make it possible to anonymize your network layer, I don’t use them, finding them a little overboard.

What I can recommend and what I practice on my own systems is a combination of tools and configurations that is a sane compromise, cake to implement, doesn’t break any web pages, and doesn’t make you switch to Firefox. (Unless you want to, in which case, you can, go ahead. Firefox ships with the Adblock plug-in, which is supposed to be pretty good. I would still do all steps below.) This approach relieves you from experiencing essentially all banner advertisements, and relieves the online advertising behemoths of the majority of their ability to operate in the sideband of your browsing experience building profiles about your personal browsing habits.

1. Block third-party cookies

This is so simple and obvious it’s a wonder browsers don’t ship this way. It stifles the technique that the profiling systems use to identify and track your browsing activity on their central systems as you move around the web from site to site. In IE, see Tools > Internet Options > Privacy tab > press “Advanced” > put Third-party Cookies on “Block”. For the equivalent setting in Firefox, do Tools > Options > Privacy tab > uncheck “Accept third-party cookies”.

This prevents any domain that is not the one you are browsing on (the first-party) from manipulating HTTP cookies via an embedded image, script, frame, or other resource. Although due to bugs in IE it’s not airtight, it’s miles better than the default configuration, which is to blindly accept all third-party cookies. There is a full explanation over at Steve Gibson’s site as well as an assessment tool.

There is no need to block first-party cookies, in most cases necessary to operation and not up to anything nefarious. Some people with paranoid tendencies block all cookies and whitelist legitimate domains one by one, which seems tedious to me.

2. Purge accumulated tracking cookies

If you just did step 1 for the first time, unless this is a brand new system, a store of accumulated tracking cookies saved by the browser during past browsing activity still remains to be wiped out. I use Spybot for this, though there are many scanners that will detect and remove the cookies of the major offenders. The first time, it will find and remove quite a few.

I also recommend doing a follow-up scan as a regular maintenance task, say once a month, to sweep out any unlikely tracking cookies that might have slipped through the defenses. Recently my scans haven’t been turning up a single straggler, which means these methods are working. Always update Spybot to current signatures prior to scanning.

3. Block dangerous domains using the HOSTS file

In the past, I would have occupied this space with a local proxy application called the Proxomitron, however it broke a lot of web pages, was not well supported, and was cumbersome to install and update. I have found a better solution.

The MVPS Hosts File is a regularly updated blacklist of known domain names from which banner advertisements, tracking cookies, and a grab bag of other nasties are served. Leveraging the somewhat archaic configuration facility for domain name resolution at C:\WINDOWS\system32\drivers\etc\HOSTS, this method tricks Windows into redirecting any attempted network connections to all those blacklisted domains into a black hole. To install, just drop-in replace the HOSTS file with the one available on the MVPS site. To avoid a performance hit, it is strongly recommended to disable the vestigial DNS Client service from services.msc, unless you are logged in to a Domain Controller.

Be aware that, as with any ad-blocking technique, the MVPS HOSTS File will cause a very few minor peculiarities. Where banner ads were, more times than not they’re cleanly subtracted from the page, but you may get occasional red X’s too. Embedded frames that contained ads appear to render with the standard Page Not Found content. This is normal and far preferable to seeing ads. Some pages load with added latencies, probably due to the blocking of on-load ad scripting. And I get some back button annoyances, again probably a consequence of ad scripting. These side effects do not materially break any pages and are well worth the benefit of browsing ad-free. Don’t forget to go back to the MVPS site and check for an updated HOSTS file from time to time, just to stay current.

With these configurations and tools you should not see a single banner advertisement nor should your privacy be recklessly violated while browsing the web. If the software business wasn’t in cahoots with the whole frenzied consumption and consumerism zeitgeist thing, we wouldn’t have be so proactive in defending ourselves, but it is what it is. Browse safe out there.

Resources

Wikipedia: Behavioral targeting

Wikipedia: Contextual advertising

EFF Deeplinks: Privacy

EFF Deeplinks: Anonymity

WSJ: Microsoft IE8 Browser Seeks Compromise On Privacy, Ad Growth

Wikipedia: Criticism of Google: Privacy

Gibson Research Corporation: Misfortune Cookies

The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year, and that identity theft is the fastest growing crime in the nation.

If your laptop was lost or stolen, the new “owner” could have unrestricted access to view all your private documents, email, pictures, and could even gain access to financial accounts. Your ordinary system login passwords (if you use them) afford you no real protection and only a false sense of security; an unscrupulous individual can bypass Windows passwords and BIOS passwords by simply detaching the drive and connecting it as an external data drive to another computer, rendering all its contents completely visible.

There is a simple and effective countermeasure that protects you against this serious privacy risk, rendering your confidential data totally useless to any unauthorized party who gets their hands on it. Yet not nearly enough users leverage this crucial security capability.

Full Disk Encryption (FDE) is software (or hardware) which encrypts every bit of data that goes on a disk, from start to end, automatically, transparently, in real-time. You choose a password that unlocks the encryption, which must be entered whenever starting up the computer. Without the correct password, the contents of the disk are rendered completely useless to any thief, effectively a mass of random data.

Note that this is a much more robust level of security than an ordinary startup password. The data on the disk is stored encrypted at all times and at no time is unencrypted data written to the disk. A low level driver layer intervenes between the disk and the rest of the operating system, to whose point of view the disk is just ordinary unencrypted storage.

I have deployed an industry standard Full Disk Encryption software solution for the protection of my own systems, including not only laptops but also external storage devices. I am using it every day and finding it to be reliable, mature, optimized, and to cause essentially imperceptible (e.g. no) performance impact.

I am recommending all users of portable laptop and notebook computers to contact me to set up an appointment to have this vital security capability expertly installed to your systems. Don’t risk a data breach that could make you the victim of identity theft or the leakage of your personal documents and files to prying eyes. Even if you don’t have anything “important” on your computer, why allow some rogue individual the pleasure of viewing your personal documents, pictures, and email? Lock them out with Full Disk Encryption.

Resources

Wikipedia: Full Disk Encryption

About.com Business Security: 8 Reasons for Full Disk Encryption