The most significant attacks addressed by security teams in the Danube region

On March 15, 2016, the concluding conference of the project “Cyber ​​security in the Danube region” (CS Danube) took place. The main objective of the project joined by representatives of security teams and organizations from Croatia, Austria, Slovakia, Serbia and Moldova, as well as our team CSIRT.CZ, was to strengthen the capacity of individual teams and cooperation in cyber security.

Metal or not metal? That is the question!

This Hamletesque question has haunted our team in connection with Omnia for a few months. Turris Omnia was introduced as a home router in a nicely shaped plastic case and for a long time we did not even think of other options. 5 GHz Wi-Fi connection was intended to be provided by three outside antennas and the “older” Wi-Fi at the 2.4 GHz frequency was supposed to be broadcast, sort of obligatorily, with two internal antennas, more or less for backwards compatibility with older devices.

Useful tools for malware analysis

In early October, the international project “Cyber ​​Security in the Danube Region” organized training for security teams operating within the region. As sharing of information and knowledge are essential in the field of security, I decided to write a post in which I would like to draw attention of the security community in the Czech Republic to two very interesting free tools.

Insistent router botnet

Not so long ago, monitoring attackers in our telnet honeypots helped reveal an interesting botnet composed of ASUS brand home routers. A botnet trying to log into our SSH honeypot running on Turris routers most frequently in the last two weeks is a botnet whose IP addresses, according to Shodan, often have one common characteristic: they respond with cookie AIROS_SESSIONID on port 80. This cookie points at AirOS running on Ubiquiti airRouter. According to data from Shodan, about 20% of attacking IP addresses out of a total of about 6500 can be identified as AirOS due to this cookie. Many addresses, however, come from dynamic pools yet unknown to Shodan.

CSIRT tools

No larger team can work with one data source and one incident management system today(at least we don’t know such team yet). That’s why every team is engaged in the development of their own tools or at least their own upgrade for already existing tools.

Overview of multiplatform password managers

The news about LastPass hack broke recently. If the user had strong password, the password is not brute-forcable. However dictionary passwords along with passwords that are guessable with mutation and Markov chains can be broken up to length of 12 characters on one GPU even though LastPass’s key derivation function (KDF) using 100000 iterations. This means that if the attacker can crack user’s simple password, the attacker can download the encrypted blob containing passwords from LastPass and use the cracked password to decrypt them. The weakest link here is the password strength.