It happened to Google – are you next?
Well, it happened to Google (and a number of other companies in late 2009, early 2010) – hackers reached deep? into the information trove. So, who cares? This goes on constantly, yes?
We have been lulled by our penchant for convenience – it has to be ‘easy’ or we are reluctant to ‘go there’; this happens both personally (probably first – which brings this ‘view’ into the workplace…) and at work [unless you are the person responsible for network/system security.]
In an environment where ‘web companies’ tend to be coder-heavy or designer-heavy (or designer-focused) there is a strong chance that security is not on the radar at all; it’s just a server, database, whatever – why should anyone care? Besides, the firewall is supposed to protect us. [Yes, Google used a firewall and I am sure that they also had and mostly followed a number of security policies...]
Hmm, at this point looking at Google or one of the other companies affected may be worth considering: How is it that several companies known to employ some of the brightest minds around would allow themselves to be victims from such an attack? I’m not going to attempt to answer this – it’s simply worth some thought – I will say that Defense-in-Depth is always a good idea. Summary points (based on what I have read about the incident):
- internal PCs were compromised via the Internet
- sensitive data was stolen
- the intrusion was tracked back to IP space in China (a university)
So, what can you do?
Items for Web site owners/managers to ponder
- a D.i.D posture is suggested – Defense-in-Depth – all gear should have appropriate security measures in place, i.e. firewall (access control), anti-virus software (all computing devices/phones), well understood policies and procedures, etc.
- do you need international traffic? (Geo-IP blocking – do you need all that traffic from country X? region X? – are there negative financial or other impacts if you deny such traffic? Should you provide [re-direct] traffic to customized regional content/services?)
- is there any correlation between web access and other network service logs? (i.e. access from same IP/sub-net/region over any period of time?)
- IP & referrers – how are visitors arriving? (direct path? search engine? un-related web sites?) [Beginning in March/April of 2010 I have noted significant, non-content-related referrer log entries from mostly European IP space - most likely purveyors of SPAM or Malware...]
Some Real Data
The numbers in the chart below show a count of the number of IP addresses that I block (by country.) The IP addresses were extracted from log files where some level of non-friendly access was attempted. Note that the count of abuse from US IP space is much higher – could be we have more network miscreants, could be we have a lot of drones on bot-nets controlled from other countries, could be both or something else. It would not make sense for me to block all ‘US’ traffic but it might make sense to block some of the other listed countries.
1106 | US, United States 300 | CN, China 181 | DE, Germany 170 | KR, Korea, Republic of 146 | UA, Ukraine 136 | NL, Netherlands 132 | GB, United Kingdom 116 | RU, Russian Federation 100 | PL, Poland 84 | ES, Spain 80 | FR, France 80 | CA, Canada 70 | RO, Romania 70 | BR, Brazil
Operational Changes that may help avoid Hacking problems
- Don’t be a 24×7x365 target (turn OFF cable/DSL modems when not needed – if all Internet connected users did this it would cause a major disruption to bot-nets as well as reducing the chances of a successful system/network hack attempt…); this applies for both home or office use; the ‘drones’ or ‘bot-nets’ of hackers are constantly probing your network connections – they can’t get in if your cut off the access…
- use GeoIP based rules in your firewall – explicitly ALLOW access and/or explicitly DENY access (using a ’stateful’ firewall is encouraged)
- use GeoIP based rules in your web server – explicitly ALLOW access and/or explicitly DENY access (is there a business reason to allow OR deny access to specific global regions, countries or cities?) and/or
- use GeoIP based rules in your web application firewall (WAF, i.e. mod_security) – this typically provides additional options and/or refinements that may not be possible in your web server configuration – explicitly ALLOW access and/or explicitly DENY access
Ok, you have made some configuration changes and are now explicitly denying access based on Geo-location data to your network/web server/email server/whatever server – can you relax? Hmm, not really… Some items to consider:
- GeoIP location data changes - so you will need to update it periodically (you can subscribe to a commercial service that provides frequent, regular updates or you can implement a less frequent, manual or semi-automatic update, i.e. monthly.)
- bot-nets (networks of drone computers) may be accessing your resources from non-blocked IP space (i.e. hacker in China controls bot-net in US which is used to access your systems); this is a cat-and-mouse scenario - you have few choices: 1) block access via IP space/address, 2) involve the owner(s) of the IP space (they should all have network abuse policies in place, and 3) keep your firewall and WAF rules updated… If all ISPs blocked malicious network traffic then the bad guys would be isolated; there are many items to consider including blocking ‘good traffic’ but the only way to remove this problem is to divide and conquer (or isolate and conquer.)
- Spiders are everywhere – how many of them do you benefit from? This is difficult to answer – if you block access for a specific region/country then you are blocking ALL traffic which may include ‘good guys’ – this is a business/sanity decision.
Resources
- GeoIP data sets – both free and commercial service – http://MaxMind.com
- mod_security - web application firewall (WAF) for your Apache server (using a proxy/gateway you can protect/shield multiple servers including non-Apache servers)
- geoiplookup – a shell script that will most likely be included when you install GeoIP tools; easy to use with simple results, i.e.
geoiplookup 69.147.125.65 GeoIP Country Edition: US, United States
In future posts I may provide examples for:
- Apache configuration – directives to deny/allow access based on GeoIP data
- PHP programming – to deny/allow access based on GeoIP data
- Perhaps other tools/languages for using GeoIP data (i.e. Ruby, Bash or Perl)
As stated in other posts, making these types of changes can (will!) affect the operation of your services, systems, networks and/or servers – testing is highly encouraged! (And yes, I did block myself and a few visitors while testing – but only briefly…) 
Related posts:
- GeoIP Blocking – examples for Apache The GOOD news – using the GeoIP module (mod_geoip.c.) can...
- Google & The China-Hack! Hmm, imagine this – The C-HACK! of 2009 Update (2/7/2010)...
- Apache, mod_security & GEO-IP I previously posted about using the mod_geoip Apache module to...
- GeoIP and Php – simple examples This is a brief/simple example of using PHP with the...
- Linux firewall – iptables 101c GEO Blocking network access – blocking specific IP blocks (GEO-blocking...