I really wish there was something we could do about Conficker as a Technology community. There’s a spread of between 3 million and 12 million computers in the world according to CNN. Seems insignificant given the size of the entire Internet. I’d like to pose a question to the community. What tools would we need in order to mitigate the risks of Conficker or any worm for that matter?
Do the normal rules of engagement apply here? When I was in the telecommunications industry, we tackled problems like this systematically:
Identify the risk.
Identify the number of infections.
Allocate all parties and resources necessary to resolve.
Run hourly checks to ensure every compromised system is attended to.
“Lessons Learned” with all parties involved once 100% resolution is attained.
Seems like documentation and tracking are the key. At my former company, we used massive spreadsheets and sent updates to those assigned to verify resolution and remove the record. What would scale on the Internet, considering it is between 3 million and 12 million records?
Another question: Should this all be centralized is a consortium? I have mixed feelings with this. In a corporate office it certainly was convenient to have strict policies and standards. Consistent problems bring consistent solutions, as the saying goes. I also consider myself a free market and free Internet kind of technologist.
Perhaps just a crowd-sourced site (I know, I know) focused on the resolution of all the Confickers of the world, providing information, links, etc. would be on the right course. Make it a condition that all the information is Creative Commons and low and behold, maybe we’d have a winner.
Here is CNN’s information regarding recent activity on Conficker. What troubles me about it is the apparent loss of hope in a resolution. Kind of makes me sad to think that Sunday breakfast table conversation might end up starting with Dad opening a newspaper and asking “I wonder what Conficker is up to today?” Very disturbing.
With the hurricane season at it’s peak, I’ve decided to include a section focused on DR. I hope to add links to sites detailing weather and EOC information for the United States. If anyone elsewhere would like to contribute, please email me at <mike at itadmins dot org>. I’d also like to add sections convering power systems and other details.
Just a heads up to Ubuntu and Debian users out there. There is a major bug in openSSL that needs to be patched on all Debian and Ubuntu systems and you must regenerate your ssh keys. I’ve included some links to the gory details:
OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. A list with all supported platforms is available here.
After testing it out on several of my machines, I can officially say it’s exactly what I was looking for in an IDS: something lightweight, cross-platform, and well documented. My setup involved installing it as a local instance on every machine, rather than the centralized config. Viewing the logs for every machine in one place doesn’t really appeal to me. I just need something that will nag me and say, “Hey, Dummy! You misconfigured that install you attempted at 3am. Fix it!” The added benefit of receiving the alerts offsite is that the existing records are stored in my Gmail. Even if someone did manage to root a computer, the logs wouldn’t be on the box and the creator of the kit wouldn’t be able to bury his/her tracks.
My hope is to test the centralized configuration in the future, but for the moment there is no benefit.
This is absolutely what I was looking for in intrusion detection. Go check OSSEC out when you get a chance.
I finally had the opportunity to load Tomato on my WRT54GS v.3 over the weekend and this is absolutely the best firmware I have come across to date. The interface is clean and offers something DD-WRT does not: realtime bandwidth monitoring from the web interface. Thus far, it has run very stable. There is also a noticeable difference in response times.
A little word of caution, though. After my installation, I HAD to reset the router (not power-cycle) via the reset switch. If you notice any issues of your password now working properly, the device more than likely just needs a reset. Another way around this problem is to restore your router to it’s factory defaults prior to the Tomato installation.