read more here
thank fuck the italian told Microsoft and not the larger white-hat hacker community, otherwise we would have seen 'in the wild' stuff already before a defence could be mounted (machines patched)
this is gonna hurt though... from my records alone we've got a over 300 machines in PNG, Africa that I wont be able to patch for a while and are directly publishing RDP to the net...
|
pARODY
Brisbane, Queensland
1069 posts
You do realize that white-hat hackers are the guys who report vulnerabilities to vendors?
Black-hats are the guys who will make worms and exploits for it and use it to profit/fuck shit up.
|
Gesthemene
Brisbane, Queensland
1199 posts
Scooter
Brisbane, Queensland
5657 posts
Yeah, but I'm guessing that if you told all the other White-Hats there would be an increased chance of one of those hats being soiled... or someone who isn't so white hatty finding out as well.
|
teq
Brisbane, Queensland
12775 posts
pretty stupid to leave rdp open to the wild, you're just laying out a welcome mat for hackers
if you really have to leave it open, at least change the port
|
skythra
Brisbane, Queensland
5277 posts
Because we've never seen a 'white hat' ever decide to make his point inappropriately before.
|
parabol
Brisbane, Queensland
6800 posts
skythra and scooter knows how it works.
Also, changing a port does absolutely nothing teq as anyone who has a 0day would scan all ports of a target for RDP service signature. Good password, authentication and retry attempt security policy, does.
Of course, this 0 day exploit get through all of it :(
EDIT: Thanks parabol! That's going to be easier to roll out.
last edited by gamer at 11:10:46 14/Mar/12
last edited by gamer at 11:11:25 14/Mar/12
|
parabol
Brisbane, Queensland
6801 posts
Changing a port does absolutely nothing teq as anyone who has a 0day would scan all ports of a target for RDP service signature
That's completely possible but for most targets improbable as most hack attempts are likely IP range scans for standard ports, since doing a complete all-port scan would take too long per IP.
Of course if someone was specifically interested in gaining access to your network then yes changing the port won't help.
|
thank fuck the italian told Microsoft and not the larger white-hat hacker community, otherwise we would have seen 'in the wild' stuff already before a defence could be mounted
Also, changing a port does absolutely nothing teq as anyone who has a 0day would scan all ports of a target for RDP service signature.
so which is it - security through obscurity is good or bad? can't have it both ways
|
teq
Brisbane, Queensland
12776 posts
Also, changing a port does absolutely nothing teq as anyone who has a 0day would scan all ports of a target for RDP service signature.
some would say it takes around 65000 times longer to scan every port on every IP, than just one port on every IP.
I would never personally leave RDP open on an important machine so I can't vouch for the effectiveness of this method, but it's better than having it wide open.
RDP doesn't respond when you establish a TCP connection, so if its on a random port you'd have to be overtly testing for RDP rather than just port scanning entire subnets for potential 0 day vulns.
|
thermite
Brisbane, Queensland
9182 posts
fuck it's jargon central up in this thread
|
do0b
Brisbane, Queensland
4216 posts
nope its just people who dont know shit overcomplicating their posts..
|
Opec
Brisbane, Queensland
7542 posts
This one has a potential to be a nasty one...
|
trog
AGN Admin
Brisbane, Queensland
35837 posts
Also, changing a port does absolutely nothing teq as anyone who has a 0day would scan all ports of a target for RDP service signature. Good password, authentication and retry attempt security policy, does. Anecdote time! I just checked my ssh log files and I have no authentication attempts on my Linux box on its non-standard port. So I conclude noone has bothered port scanning my server to find what port ssh is running on.
I agree that changing port is not a magic security fix, but it makes you massively less of a target - there's just so much other low hanging fruit out there.
|
pARODY
Brisbane, Queensland
1070 posts
Security through obscurity is a valid method, sadly it gets the bad reputation when people think that is all they need to do. Moving the port, patching the vulnerability and retaining an audit trail of activity all comes to a good security stance.
|
You guys talk about defending against automated bots like your defending against an attacker with your system targeted.
Defence against automation by changing to a non-standard port will not 'secure' your server against any real attack.
Humans behind keyboards is always what you should have in my mind when designing your security, not automation scripts that run to try and infect systems to increase botnets for spam, fraud, DDoS and resell value.
These are more like modern day viruses (compared to webpage malware 5-10 years ago). If you need to defend against automated attacks that stroll public IP ranges because you think you could be compromised you have larger problems.
In the enterprise world moving to non standard ports means huge changes to scripts and programs not just now but into the future to try and cater for that change and a larger helpdesk overhead for users etc. Quite often your not able to implement a change like that even if you wanted to. I would never advise anyone uses a non standard port and don't even consider that 'obscurity'.
It might produce less 'hits' on the service by automation for a home user who has their public ADSL2 IP forwarded to their home PC, but if a human was targeting the user and obtained the public IP they would eventually find the service on a non-standard port.
This 'obscurity' you are talking about, is just sticking your head in the sand.
Whenever I talk about security, it's not in reference to automated public net bot creators, as they aren't even a targeted attack.
It's like walking past every house and seeing if a door is open. Why on earth would you discuss talking about what deadbolts are best to use?
|
trog
AGN Admin
Brisbane, Queensland
35838 posts
This 'obscurity' you are talking about, is just sticking your head in the sand. It is a layer in the onion. See pARODY's post. It is part of security in depth. If you don't like it, fine, but you've just left out another layer of defences that you either have to replace with something else or deal with at a different level. It's like walking past every house and seeing if a door is open. Why on earth would you discuss talking about what deadbolts are best to use? That is a false analogy. The real analogy is walking past a bunch of houses and looking at the fronts. The ones with open doors are insecure so you can just walk in there and steal stuff! The ones with closed doors might be harder - you have to go up and try the handle, which is time consuming and potentially risky. But then you walk past the one with no doors - do you waste time walking around the back to see if they have a back door - or a door at all? Or do you just keep walking past the houses looking for more with open doors, or ones with obvious doors?
The deadbolt doesn't enter into it until you actually get to the door. The deadbolt is another part of the onion - it is just another part of security in depth.
You can ignore me of course but when it comes to security stuff I would just do whatever pARODY told me to do because I know this is his thing!
|
Security through obscurity is a valid method can't say I agree with that myself. I see it soley as means of reducing log spam
Humans behind keyboards is always what you should have in my mind when designing your security, not automation scripts that run to try and infect systems to increase botnets for spam, fraud, DDoS and resell value. not really
if you're going to think of it that way, you should consider both, not just one or the other. both have strengths and weaknesses, primarily logic vs speed. incidentally though, automated programs can potentially utilise more logic than humans can speed
This 'obscurity' you are talking about, is just sticking your head in the sand. yet you seemed happy about it for this particular exploit when you said "thank fuck the italian told Microsoft and not the larger white-hat hacker community" <-- security through obscurity
|
Opec
Brisbane, Queensland
7543 posts
trog
AGN Admin
Brisbane, Queensland
35839 posts
I just realised that "that Italian" gamer refers to is none other than Luigi Auriemma, who is quite well known in security circles in the gaming world. He's responsible for getting a bunch of game problems fixed. He is a dead set legend in the gaming world and has been largely responsible for trying to make sure game developers think about security at least a little bit in the online world (although not as successfully as I would have hoped as there are still many problems that plague certain games).
|
typo
Other International
6477 posts
> (although not as successfully as I would have hoped as there are still many problems that plague certain games).
For years you used to defended QGL not bothering to protect from simple script injections as a feature and that obscuring emails behind some scriptlet was fine and dandy. I honestly can't fathom how dreadful a companies security would have to be for to become concerned.
|
trog
AGN Admin
Brisbane, Queensland
35843 posts
what? I don't recall ever saying anything like that. I certainly didn't "obscure emails behind some scriplet", I personally wrote the code that stopped email addresses from showing unless users had opted in specifically to have them shown (" [email protected]" I think still shows up for people in the email field). |
cJay
Brisbane, Queensland
1258 posts
I see IT peeps expose RDP to the NET on a daily basis with pathetic usernames and passowrds.
I would lock that shit down with certificate based authentication but hey that's just me.
|
eski
Perth, Western Australia
796 posts
Whoop
Brisbane, Queensland
19510 posts
I'm guessing my firewall keeps me almost safe (not windows firewall)
For years you used to defended QGL not bothering to protect from simple script injections as a feature and that obscuring emails behind some scriptlet was fine and dandy. I honestly can't fathom how dreadful a companies security would have to be for to become concerned. le what?
I've not been here from the very beginning but in the time I've been on ausgamers/qgl the admins used to always say that full html & scripts & stuff were able to be used because everyone was mature enough to not abuse it. I remember many threads that would have the colours changed to pink or green to fit the theme of the thread or those crazy javascript fuelled random image sigs/avatars.
good times. |
parabol
Brisbane, Queensland
6805 posts
I'm guessing my firewall keeps me almost safe (not windows firewall)
If by firewall you mean the internet is connected directly to your PC and you're using 3rd party firewall software, then as long as it denies inbound connection by default then you're safe.
If by firewall you mean an adsl/cable router or a dedicated firewall PC, then as long as you're not port forwarding and not DMZing, your firewall won't pass the traffic forward to a random machine for no reason.
|
Whoop
Brisbane, Queensland
19513 posts
Firewall = a router, however since I'm lazy I've got upnp turned on. Why I said ALMOST safe :)
*turns upnp off*
|
IVY_MiKe
Canberra, Australian Capital Territory
784 posts
Cheers for the heads up Gamer, but for the most part I think for individuals the 'obscurity is security' argument is valid.
And lets face it, if you have 300+ sites (inter nation etc) and you AREN'T using some sort of VPN or Security certificate methods for authenticating RDP sessions, it's no surprise that 'changing the port' is no defence.
I'm looking at running RDP to my home server. (which is just running Win 7 atm) what do people recommend for RDP security here...
I am trying to set up RDP access as elegantly as I can (read: using Microsoft tools/'features' etc)
I know I can use a 3rd party app, but I'm trying to go about the 'minimalist' approach with at least two separate methods of authentication. (username/strong password, and either Security Certs or VPN)
Therein lies my problem... pretty much any methods of authentication kinda require more network infrastructure (in the nature of some sort of VPN gateway, or additional stuff about)
I guess I'm curious as to what others are using to access their PC's remotely...
|
Alize`
Brisbane, Queensland
1642 posts
So what about if you require to authenticate via a gateway? Is that set up protected?
|
HerbalLizard
Brisbane, Queensland
5428 posts
So what about static portmaps for rdp?
|
Opec
Brisbane, Queensland
7550 posts
Cheers for the heads up Gamer, but for the most part I think for individuals the 'obscurity is security' argument is valid.
And lets face it, if you have 300+ sites (inter nation etc) and you AREN'T using some sort of VPN or Security certificate methods for authenticating RDP sessions, it's no surprise that 'changing the port' is no defence.
I'm looking at running RDP to my home server. (which is just running Win 7 atm) what do people recommend for RDP security here...
I am trying to set up RDP access as elegantly as I can (read: using Microsoft tools/'features' etc)
I know I can use a 3rd party app, but I'm trying to go about the 'minimalist' approach with at least two separate methods of authentication. (username/strong password, and either Security Certs or VPN)
Therein lies my problem... pretty much any methods of authentication kinda require more network infrastructure (in the nature of some sort of VPN gateway, or additional stuff about)
I guess I'm curious as to what others are using to access their PC's remotely...
- Get DynDNS account of some sort and set that up on your ADSL router so when it drops and reconnects you can still get to your home PC via DynDNS domainname;
- Don't open RDP to direct external connection;
- Port forward VPN related ports to your windows machine.
- Set up incoming VPN on your Windows machine, if you want to use L2TP / IPSec then you'll need third party software like OpenVPN: http://openvpn.net/index.php/open-source.html or if you want native PPTP then do this: http://www.howtonetworking.com/VPN/win7vpn1.htm
Then you can do all your VPN certificate auth thing, then just RDP as per usual and enable NLA for RDP.
Works pretty well.
|
TicMan
Melbourne, Victoria
7819 posts
Static IP
Port forward SSH to my Linux box
Do SSH tunnelling
.. accessing home PC like a boss!
|
pARODY
Brisbane, Queensland
1071 posts
I've been tracking a couple blogs and twitter threads about a proof of concept for this bug. Currently the PoC seen on pastebin is an exploit from 2008 with new shellcode. If you're into testing your own security, don't use the PoC as it might be trojaned ( I'm reviewing it currently ). Wait for a metasploit module for it to be released. :]
|
Tollaz0r!
Brisbane, Queensland
12417 posts
I remember many threads that would have the colours changed to pink or green to fit the theme of the thread or those crazy javascript fuelled random image sigs/avatars.
I also remember the following torrent of mini-threads where uses apologized for their misdeeds..
|
Dazhel
Gold Coast, Queensland
4535 posts
for the most part I think for individuals the 'obscurity is security' argument is valid
The argument is never valid, even for individuals. An individual is perhaps marginally less likely to be attacked because of the size and value of the target, but I wouldn't want to stake my data on it as the argument itself is just as bogus.
|
teq
Brisbane, Queensland
12788 posts
when your mum or dad says "I want to be able to access my computer from my iphone so I can do X/Y/Z" and the computer has nothing important on it (like a torrent client or something)
its much much easier to just change the rdp port and set up their phone to connect on the non standard port, rather than setup a vpn on their phone and at their house
firewalls are a pain if you just want a simple solution
my point being, obscurity has it's place
|
casa
Brisbane, Queensland
4550 posts
 Another epic gamer thread, I love these to no-end.
|
Dazhel
Gold Coast, Queensland
4536 posts
There's nothing wrong with changing the port, but like Jim said it'd just be to cut down on log spam. If there's no data to protect then securing access to nothing is pointless anyway.
From what I've seen though nearly everyone has something they'll cry about if they lose even if they say "oh there's nothing important on it"
|
teq
Brisbane, Queensland
12789 posts
just because you don't have a use for it doesn't mean heaps of other people don't
|
trog
AGN Admin
Brisbane, Queensland
35906 posts
This thread is archived and cannot be replied to.
|
PM
WWW