DRG
GnuPG pubring key checker
2011-12-02

We are happy to announce a prototype tool that can help identify keys on a GnuPG public key ring (e.g. ~/.gnupg/pubring.gpg) that are expired, revoked or due to expire within a configured number of days. This script, gpg-ring-check can be found on the tools page.

gpg-ring-check is currently a prototype. We have verified it works on a number of current Linux distributions, but have also verified it doesn't currently work properly on a current Mac OS X machine with GPGTools installed and also not with 2.x versions of GnuPG. We hope to provide an updated version in the future that will handle all the different operating systems GnuPG runs on as well as all versions of GnuPG. We'll also happily accept patches and fixes from the community.

Using this tool is as easy as running it on the command line without any arguments to get a usage message. Each option should be self explanatory. By default the script will look for a pubring.gpg file in ~/.gnupg/pubring.gpg directory, but you may specify an alternate location. If run with the -a option and a parameter specifying the number of days from the current date, it'll look for display the keys that are revoked, have expired or will expire within the specified number of days. The DRG uses PGP extensively and we find this tool helpful to help alert us to keys on our keyring that become unusable or are about to expire. We hope you too find this script useful. We'd love to hear from you with feedback.

posted at 12:00 am | permanent link



VNC probe insight
2011-11-14

We are happy to announce the DRG VNC probe insight report based on DRG network data. We believe this is the first VNC-based report of it's kind being offered to the community. You can find this new community resource on the Insight & Analysis page. A special thank you to Sangkyun Noh, a DRG contributor, for developing the DRG Distro module that helped make this report possible.

posted at 2:10 pm | permanent link



The debut of DRG Weekend Reads
2011-11-11

Today we debut a new service entitled DRG Weekend Reads, a weekly short list of good information security reads to enjoy your weekend with. Each Friday we'll bring you the best of the week, many of which come from the far corners of the net that may have fallen under the popular radar, but above the interest threshold.

posted at 12:00 am | permanent link



Using GnuPG to encrypt automated system email
2011-08-16

The root mailbox on most unixes can be an excellent source of various server health information. Unfortunately, sending these messages off-system, while convenient, poses the risk of disclosing sensitive system information. Suppose a system administrator receives an e-mail detailing missing patches on a system that is subsequently forwarded to a Gmail account. That message has not only traversed the Internet unprotected, it sits on Gmail's servers unencrypted. In addition, it may end up on a smartphone or laptop that could be lost or stolen.

The details of an implementation for protecting these messages with GNU Privacy Guard (GPG) is outlined below. GPG provides an easy way to send sensitive data across untrusted networks or to destinations that may have limited security controls. Look for more GPG tips from the DRG in the coming weeks and months!

A quick procmail recipe will empower us to do just that:

SUBJECT=`formail -xSubject:`
:0 c
*^To:.*root.*
|formail -I "" | gpg --trust-model always -ear "foo@example.org" | mail -s "$SUBJECT" foo@example.org

In case your procmail skills are a little rusty, let's walk through each line:

  • The first line utilizes the formail binary to extract the subject of the incoming message and assign it to the bash variable SUBJECT.
  • The second line creates a copy of the message that is used later in the recipe.
  • The third line filters on messages that contain "root" in the To: field.
  • The fourth line takes a copy of the message and pipes it through a series of command lines.
    • formail -I "" will give us the message body without any of the original headers. This output is then piped to gpg.
    • gpg then encrypts the message body. We utilize --trust-model always to prevent gpg about prompting for an untrusted public key. The -ear flags encrypt the message, create armored ascii output and utilize the specified e-mail address as the recepient.
    • Finally, the output from gpg is piped to the mail command to send to the remote e-mail address.

When implementing something similar, you'll want to keep a few things in mind.

  • Since the procmail recipe runs as the mailbox user, it is not wise to use the recipe on the root account. In fact, some MTAs will not let you pipe messages to commands that are run as UID 0 (this is the default configuration in exim4). It is best to forward root e-mail to a non-priveleged account for archiving and forwarding purposes. Use your /etc/aliases file to accomplish this.
  • Ensure that you have local mail delivery enabled for your root account and the non-priveleged account that is handling the forwarding otherwise procmail will never see the message to process it.
  • Procmail may not be enabled in your default MTA install. Enabling it should involve uncommenting a line or two in your MTA's configuration file.
  • Finally, it should go without saying, but make sure the non-privelged account that does your forwarding has the proper public key in its keyring. If it doesn't, the procmail recipe will fail silently, leaving you scratching your head and digging through logs.

DRG loves to hear from the community. If you have any feedback, enhancements or fixes, drop us an e-mail or ping us on twitter.

posted at 12:00 am | permanent link



Security Innovation Grant 2011 Winner - NoScript
2011-07-18

The Dragon Research Group (DRG) is pleased to announce the 2011 Security Innovation Grant award winner. The award is given to the most innovative project in the area of information security. This award recognizes and supports novel projects providing non-commercial and open-source solutions to Internet security challenges. This year's award goes to NoScript, a unique and popular browser extension that helps limit security and privacy threats.

Upon learning of NoScript's selection as this year's award winner, Giorgio Maone, the NoScript project leader thanked the selection committee for recognizing NoScript. "This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day." On his his personal blog hackademix.net, Giorgio went on to describe specific development plans and goals for NoScript in the coming months. Patrick Green, DRG Advisory Council Chair and Manager of Networks and Telecommunications at the University of Warwick, speaking on behalf of the selection committee said "It has been a great pleasure to be involved with this very important grant fund - we had a very strong list of candidates for the grant, and it was very difficult to chose a recipient. I'm personally pleased to congratulate NoScript, and help them to continue the good work they do helping end users secure their systems."

This year's award was entirely and solely funded by a personal donation from Robert O. Thomas III. The grant is expected to be awarded, on a yearly basis, to a project with the highest overall merit rating by an independent DRG review committee. The DRG is seeking award sponsors for future awards. If you would like to make a US tax deductible contribution to help sponsor future awards, please contact the Dragon Research Group by sending email to dragon@dragonresearchgroup.org.

The Security Innovation Grant is a one-of-a-kind program to help fund innovative information security projects. Administered by the Dragon Research Group, the winner of the award is chosen by an independent selection committee drawn from the DRG Advisory Council. The selection committee is supported by input from an independent review committee made up of industry experts from the information security community. Award candidate submissions are open to the public with the review committee evaluating submissions according to the award guidelines and project criteria. Further details about the award can be found on the Security Innovation Grant page.

posted at 12:00 am | permanent link



DRG IPv6 Insight Day
2011-06-08

In the spirit of contributing to the Internet Society sponsored World IPv6 Day, we are pleased to bring you our IPv6-specific contribution.

The Dragon Research Group web site has been IPv6 connected since October 2010. Nearly 400 unique IPv6 addresses have accessed http://dragonresearchgroup.org since October 2010. Less than 5% of those that did so used both HTTP and HTTPS, the vast majority were HTTP only. For the month of June 2011 there have been over 2500 IPv6 unique HTTP GET requests from nearly 40 unique IPv6 sources thus far. The top 10 countries by the routed origin of the covering IPv6 prefix for those sources since 2010 accessing dragonresearchgroup.org were:

country code % of total IPv6 visitors
US 60%
JP 7%
CN 5%
NL 4%
GB 4%
FR 3%
BR 3%
DE 2%
CH 1%
AU 1%

We have seen over 650 unique visitors to the DRG IPv6 test page. Of those, only about 5% actually came from an IPv6 source address.

The DRG Distro Network is a global monitoring network that contains UNIX hosts running application listeners for a few key well known services such as DNS, HTTP and SSH on otherwise unused address space. About one third of the DRG Distro Network has globally routed IPv6 addresses in almost ten different countries. As of today, all but one of the DRG Distro Network installations can successfully send ICMPv6 echo request messages to a well known remote IPv6 connected host and receive ICMPv6 echo responses. All DRG Distro Network installations with IPv6 connectivity are using a /64 network mask by default except for one that is a /126.

The DRG Distro Network has seen only a single IPv6-based SSH connection attempt from Japan. The DRG Distro Network has never seen a SSH password-based authentication attempt over IPv6. The DRG Distro Network has only ever seen a single 'HTTP GET /' request, also from Japan, but from a different source address than the SSH connection attempt. The DRG Distro Network has never seen any unsolicited DNS messages overs IPv6.

The DRG Distro Network has witnessed hundreds of thousands of lame delegation conditions involving IPv6-based DNS name servers. Lame delegation events occurr for a variety of reasons, including deficient IPv6 connectivity in the path between the DRG Distro Network resolvers and authoritative servers. In fact, over 99% of all IPv6-related lame delegations the DRG Distro Network sees are due to a network reachability issue. In some cases a DRG Network Distro pod that purports to have global IPv6 connectivity is actually unreachable by hosts outside of it's local network.

A key interest and long term objective for the DRG is to better understand IPv6 connectivity issues and to help develop tools and insight that better address the needs and challenges to manage the new network layer.

While the community celebrates World IPv6 Day and continues to roll out the next-generation IP protocol, we here at DRG are striving to help. Stay tuned for enhanced IPv6 insight from DRG over the coming months. In the meantime, we would love for you to help us do the research by joining DRG or running a pod.

posted at 12:00 am | permanent link



DRG is expanding, join us!
2011-06-02

Put simply, we need more talented heroes to help fulfill the growing cache of research and projects. At present, we are especially interested in volunteers who might have a particular set of capabilities and want to make best use their skills to help develop some exciting new research for the Internet community. If you are ready to join us, Visit our Apply to DRG page today and contact us with details. We need you.

We are especially interested in volunteers who possess the following skills:

FreeBSD and GNU/Linux system administration
We are seeking volunteers who are proficient in managing FreeBSD and GNU/Linux systems. Ideally the candidate will be familiar and comfortable setting up and using common monitoring tools, log management applications, system auditing processes, configuration management and modest shell scripting solutions to common tasks. Database administration experience is a plus.
IPv6 end host configuration and internetworking
We are seeking volunteers who understand IPv6 transition technologies, addressing and routing. Ideal candidates will have experience setting up and utilizing IPv6 on Linux and FreeBSD systems.
Technical writing
We are seek volunteers who have a breadth of information security experience, excellent written skills and a desire to publish research reports, white papers and refereed journal articles on behalf of DRG and its associated research. Ideal candidates will also possess web authoring skills.
Tool development
We are seeking volunteers who are proficient in developing small to medium sized security tools. Proficiency with Perl Python, Ruby, C, shell scripting and similar languages common to a UNIX platform are most applicable. The ideal candidate should be able to write small network applications, log parsing scripts, work with SQL databases and be generally capable of manipulating data to produce interesting insight. Web development skills are a plus.
Outreach and public relations evangelizing
We are seeking volunteers who are well connected in the security community and can help interface with the Internet community to bridge needs and projects between the community and DRG. Ideal candidates should be highly respected and frequent participants in various Internet security community forums, proficient with social networking applications and regular guests at in-person community events.

posted at 12:00 am | permanent link



Security Innovation Grant 2011 Finalists
2011-05-31

We are happy to announce that from a large pool of nominees, the Review Committee has narrowed down the Security Innovation Grant candidates to four. In alphabetical order, they are Advanced Intrusion Detection Environment (AIDE), Cuckoo Sandbox, NoScript and OpenBL.org. Congratulations to all the finalists! A winner will be announced in July.

posted at 12:00 am | permanent link



SSH Brute Force Attack Source Insight
2011-04-29

The Dragon Research Group maintains a network of machines we affectionately call "Pods". These Pods run a custom-built and hardened *nix distro which listens on several ports, one such port is 22/TCP SSH. We see a fair amount of brute force password attacks every day against this port; about 36,000 guesses per day on average. We decided to take a deeper look at the attack data, because, well, that's what we do here.

The sample of data used in this study is from a recent 30 day period. It is important to note that this dataset is a very small sample of global Internet IP address space and may not be representative of a more complete global Internet picture. During this time period we saw...

  • About 3,400 attacks
  • Over 1,000,000 (one million) pwauth guesses, about 300 per attack
  • 1,485 unique attacker IP addresses from 532 different AS numbers

We took the unique IP attacker addresses and compared it with a database of some 129,000 malicious domains and IP addresses; we found some interesting correlations.

Top Attacking Nets are Consumer ISPs?
Top attacking networks appear to be ISPs who sell to consumers. It's likely that these are zombie bots (infected machines participating in botnets).

Top 10 ASNs by Hit Count

Attacking Nets Full of Badness
Correlation to the mal-data shows that some of these networks are full of "badness". The top 10 networks from our SSH attack data are also home for 3,582 malicious domains, or approximately 10% of the malicious domains we have listed. Meaning they not only host attack machines but websites that serve malware, rogueware, phishing sites, etc. Some of the ISPs are rather large which would propel them higher on the list, we did not do any type of ratio comparison of unique IPs seen versus total allocated to the AS number.

TYPES : trojans, droppers, rootkits, C&C, phishing sites, redirectors
DELIVERY / EXPLOITATION : 0-day exploits, fake anti-virus, fake Microsoft updates, fake videos, fake pics, fake codec, mass SQL injection attack
MALWARE NAMES : Bredolab, Conficker, Wsnpoem, ZeuS, Zbot, Waledac, Gumblar, Koobface, Russkill, SpyEye, Virut, Asprox, Mebroot, TDSS, Cutwail, KillAV, TDSS, Swisyn, Rustock, InfoStealer
BRANDS ATTACKED : U.S. Govt. CDC, Facebook, President Obama, Microsoft, US Govt. IRS, MySpace, Twitter, HSBC
EXPLOITS : Windows, MS RealPlayer, PDF, IE, 0-days, (Eleonore, Phoenix, Fragus, Liberty, Yes, LuckySploit, Fragus, Krap)

Maldata Keyword Counts

Top AS = Top Source of Mal-Data
#1 AS number on the SSH hits list matches #3 on the mal-data list, accounting for 2,181 mal-domains: CHINANET-BACKBONE No.31Jin-rong Street. According to the CIDR Report (CIDR Report Listing for AS 4134) this ASN is huge, accounting for some 100 million IP addresses, so that could in part account for the large number in our report.

  • Domains injected into SQL servers during SQL injection attack.
  • Domains used in various phishing spam and malware attacks.
  • Exploits for Windows, PDFs.
  • Malware distribution and C&C for ZeuS, Wsnpoem, Zbot, Bredolab, SpyEye, Koobface, Waledac, Russkill.
  • Fake videos, fake anti-virus software, flash.

Top Attacking Country = China
Top attacking country by IP location: China, accounting for roughly 21% of all unique IPs. Next is the US with 13%. Incidentally, Russia and Ukraine, known to host their fair share of malware, miss the top 10 ranking coming in as 12th and 13th respectively.

Top 10 Country by Unique IP address

posted at 12:00 am | permanent link



Security Innovation Grant Update
2011-03-07

The Security Innovation Grant, administered by DRG, is being changed from an award based on a new project proposal to an award given to an existing, qualifying project based on your suggestions! The selection committee did not receive enough qualifying proposals under the old system. We believe changing the grant process to this new format will help attract a larger number of qualifying submissions and ultimately be a better fit for the intended candidates. Do you know of any promising security projects already under way that could benefit from an influx of $10,000 US of support? If so, please send us the name, contact information and brief description of the project you think the review committee should know about. We'll do the rest. See the Security Information Grant page for details.

posted at 12:00 am | permanent link



About DRG

Apply to DRG

Host a DRG Distro Pod

Insight & Analysis

Tools

Weekend Reads

Challenges

Security Innovation Grant

Mailing lists

DRG PGP public key

Follow us on Twitter Follow DragonResearch on Twitter


Feedback: dragon@dragonresearchgroup.org

Archives: