According to a recent analysis conducted by Akamai, out of the all the cyber-attacks observed originating from the 209 unique countries around the world identified, the United States was the top attack traffic source, accounting for 12% of observed attack traffic in total. Russia and China held the second and third place spots respectively, accounting for just over 20% of observed attack traffic combined. Aggregated at a continental level, Europe was responsible for the highest percentage of attacks seen in the third quarter. Port 445 continued to be the most highly targeted port for observed attacks, though the percentage of attacks targeted at Port 23 (Telnet) grew significantly during the third quarter.
Now just to bring you up to speed on these ports, TCP port 445 is “SMB over IP”. SMB is known as “Samba” and stands for “Server Message Blocks”. One of the potentially chilling consequences of port 445 has been the relatively silent appearance of NetBIOS worms. These worms slowly but methodically scan the Internet for instances of port 445, execute the remote administrative tools provided by Microsoft to transfer themselves into the new victim computer, then redouble their scanning efforts. Through this mechanism, massive, remotely controlled Denial of Service “Bot Armies”, containing tens of thousands of NetBIOS worm compromised machines, have been assembled and now inhabit the Internet. Any NAT router or personal firewall should be able to block port 445 from the outside world without trouble.
What’s old is new again? I’m not surprised given the tendency for humans to go for the path of least resistance that we continue to have security concerns for TCP port 23. Shame on those people who continue to use this antiquated connectivity protocol when there are secure alternatives. This port is allocated for Telnet. Telnet is one of the earliest, original protocols of the Internet. A machine offering Telnet services is essentially offering to accept an “across the Internet” remote console terminal connection from any client device. This makes Telnet quite powerful and, without proper security, a significant security concern. Any NAT router or personal firewall should be able to block port 23 from the outside world without trouble. You should also disable this protocol server side and use secure shell mechanisms instead.
In my role as a Chief Information Security Officer for the various companies that I’ve been in that post, in simple terms, it has always been easier to neuter domestic threats than it has been for foreign threats. What is pretty amazing to me is that the sheer number of companies out there who are so reluctant to address the problem, to work collaboratively with security practitioners. For example, recently, my wife had her credit card number taken from business commerce computer database at a coffee shop located on a military installation by one of the punk latte jockeys. This guy proceeded to make several test purchase attempts through various online vendors. We discovered the problem rather quickly and there were no successful credit card authorizations made. The interesting component here is that several vendors, seven to be precise, actually mailed their products to our home address without card validation. Now you know you are going to have a bad day when you decide to steal the credit card of a qualified security practitioner and one who loves the smell of blood in the water. This is one of the catalysts for my desire to attend law school by the way. I contacted those vendors and offered my assistance pro bono to track down the criminal. Now let me make something clear, we suffered no financial loss, but those seven vendors all did. All but one decided that I would need a subpoena to get a copy of the web logs or to work with their internal security staff in an effort to track down the criminal who just ripped them off. Unbelievable! If you want to knowingly be a victim, so be it. When you suffer as a result of poor decisions, that’s what I would call natural selection at work.
It occurred to me some time ago that the most effective way to attack criminals like these is to escalate your response. I refuse to knowingly be a victim. I don’t believe in getting even because there is no disincentive for your opponent to think twice about doing it to you again. I believe in preemptive strikes and significant escalation. For example, when dealing with domestic phishing attacks, rather than the traditional method of site take-down, I go for the host organization. If you shut the host down, not only do you eliminate the criminal’s safe harbor, but you also stir up trouble for the host by affecting everyone else which places a huge impact of the host. In my experience, the host would rather stay in business and clean house rather than go out of business. Either way, you win.
By the way, the end of that credit card theft situation resulted in the perpetrator being arrested. Since he did this on a military installation, this automatically amounts to a felony. Since his attempted theft amounted to more than $500 USD, that amounts to attempted grand larceny. The coffee shop, by not adhering to PCI standards and using rudimentary encryption to protect customer credit card data, has their own problems now as well. Like I said already, natural selection.