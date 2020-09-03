Security: IPFire, Reproducible Builds (diffoscope), and SH Credential Honeypots
Thoughts on operations security for the masses
The last post discussed a secure configuration of the IPFire firewall engine, and, like all other previous posts of this series, referred to a certain aspect of or information security in general. Although if this is undoubtedly an important aspect of IT security - perhaps the most important one -, it is worth looking beyond the box.
Therefore, this post focuses on operations security (commonly abbreviated as "opsec") and its importance for the masses. We will learn how infosec and opsec affect each other, why opsec should play a role in everybody's life, and how it can look like in particular. Depending on your adversaries and threat level, this post might be too paranoid or not paranoid enough - the author would like to apologise for both cases. Also, it is not directly related to IPFire, however, the author assumes that IPFire users are more security-conscious than the average internet user.
Reproducible Builds (diffoscope): diffoscope 159 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 159. This version includes the following changes:
[ Chris Lamb ] * Show "ordering differences only" in strings(1) output. (Closes: reproducible-builds/diffoscope#216) * Don't alias output from "os.path.splitext" to variables that we do not end up using. * Don't raise exceptions when cleaning up after a guestfs cleanup failure. [ Jean-Romain Garnier ] * Make "Command" subclass a new generic Operation class.
You find out more by visiting the project homepage.
David Tomaschik: Lessons Learned from SSH Credential Honeypots
For the past few months, I’ve been running a handful of SSH Honeypots on some cloud providers, including Google Cloud, DigitalOcean, and NameCheap. As opposed to more complicated honeypots looking at attacker behavior, I decided to do something simple and was only interested in where they were coming from, what tools might be in use, and what credentials they are attempting to use to authenticate. My dataset includes 929,554 attempted logins over a period of a little more than 3 months.
If you’re looking for a big surprise, I’ll go ahead and let you down easy: my analysis hasn’t located any new botnets or clusters of attackers. But it’s been a fascinating project nonetheless.
In a surprise to absolutely nobody, root is by far the most commonly tried username for login sessions. I suspect there must be many attackers trying lists of passwords with just root as the username, as 78% of attempted logins were with username root. None of the remainder of the top 10 are particularly surprising, although usuario was not one I expected to see. (It is Spanish for user.)
Blank passwords are the most common attempted passwords, followed by other obvious choices, like 123456 and password. Just off the top 10 list was a surprising choice of password: J5cmmu=Kyf0-br8CsW. Interestingly, a Google search for this password only finds other people with experience running credential honeypots. It doesn’t appear in any of the password wordlists I have, including SecLists and others. If anyone knows what this is a password for, I’d love to know.
