November 20, 2012

How-To: Tips for Shopping Online

Black Friday and the Monday that follows, which we have somewhat recently taken to calling Cyber Monday, are two of the biggest shopping days of the year. The tradition of getting off to a fast start on your holiday shopping by getting out there on the Friday after Thanksgiving that most Americans take as a vacation day dates back to the 1960’s. Cyber Monday, on the other hand, was created by online retailers sometime in the last decade in an attempt at squeezing one more day of shopping mania out of consumers.

These manufactured holidays are probably detracting from the quaintness of what used to be a perfectly Rockwellian day of football and food and football. But the deals, they’re just so good, you would have to be made of stone to resist! So we produced this short video to help consumers stay safe online, not just on Cyber Monday and Black Friday, but throughout the holiday shopping season.

Via Threatpost

November 13, 2012

How-To Video: Facebook Privacy

In the previous video in our how-to series, Securing Facebook, we reported that the social networking giant was rapidly approaching one billion active users. Facebook has since surpassed that mark. Considering that, we produced a video detailing and explaining how to implement some simple, built-in features on the world’s largest social network that should help keep your profiles as private as possible.

via Threatpost

September 18, 2012

Securing Your Facebook

Facebook’s active-user count is rapidly approaching one billion. The world’s largest social network, which has long been a popular target and platform for attackers, will only become a more relevant outlet for scams and other fraud as it continues to grow. While the target grows, so too does the need to secure our accounts. With that in mind, we will discuss some simple ways of bolstering the security of our Facebook accounts in the second installment of our how-to video series.

July 25, 2012

Ted Talk: Your phone company is watching

What kind of data is your cell phone company collecting? Malte Spitz wasn’t too worried when he asked his operator in Germany to share information stored about him. Multiple unanswered requests and a lawsuit later, Spitz received 35,830 lines of code — a detailed, nearly minute-by-minute account of half a year of his life.


November 11, 2011
Threatpost Video: The Changing Threat Landscape

August 29, 2011


The Dark Side of Remote Desktop

Organizations large and small often make use of Remote Desktop or Terminal Services to remotely connect to Windows computers over the Internet and internally. These tools use Microsoft’s RDP protocol to allow the user to operate the remote system almost as if sitting in front of it. Such capabilities are helpful for not only legitimate users, but also for attackers.

The Internet community saw a reminder of the dark side of RDP due to the emergence of the “Morto” worm. According to F-Secure, a system infected with the worm scans the local network for systems listening on TCP port 3389 and, when it does, attempts to login to them via RDP by guessing the Administrator password. The worm uses a list of common 30 passwords, which include favorites such as “password” and “12345678”.

The emergence of this worm correlates with the increased volumes of TCP port 3389 traffic, reported by SANS Internet Storm Center a few days prior to the F-Secure report:

The propagation approach employed by “Morto” is often used by penetration testers and human attackers alike: access the remote host by brute-forcing the password. One free tool that can automate this process is TSGrinder. You can see TSGrinder in action in the video I attached to this post. Note that TSGrinder is relatively slow, and requires that an older version of Remote Desktop client be installed on the attacking system.

A more modern (and faster) tool for remotely brute-forcing RDP credentials is Ncrack. Ncrack is a command-line tool that also supports a variety of other protocols, including SSH, VNC and FTP. In addition to being available in the source code form, Ncrack can be downloaded in a compiled form for Windows and OS X. (Update: For more on using Ncrack for RDP cracking, see Chris Gates’s post on the Carnal0wnage blog.)

Brute-forcing passwords on the internal network using tools such as TSGrinder and Ncrack is often quite effective. The approach also works over the Internet in many cases, because organizations often expose TCP port 3389 for remote access to workstations and servers over the Internet.

We can use the emergence of the “Morto” worm as a reminder to examine the use of Remote Desktop for remote access to systems over the Internet. Consider requiring an authenticated VPN connection before anyone has the ability to connect to this service. If you have to expose the service to the Internet without a VPN, don’t use the default port TCP 3389—instead pick a random high-numbered port. And, it goes without saying, use strong passwords and non-Administrator accounts. Lastly, consider configuring user accounts for auto-lockout after a number of unsuccessful logon attempts, while recognizing the potential for a denial of service attacks when the attacker could trigger such a condition remotely.

Hand-picked related items:

Lenny Zeltser

Liked posts on Tumblr: More liked posts »