[TECH]:: Stack Overflow major security breach - interesting lessons for ANY security dependant system

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[TECH]:: Stack Overflow major security breach - interesting lessons for ANY security dependant system

RussellMc
Worth a read by anyone interested in the security of any system - even ones
vastly different to the one involved here.

In late April 2019 a highly competent and knowledgeable "hacker" began to
infiltrate the Stack Overflow system. Their very successful actions were
not detected for 12 days and it took several days more before they were
able to be fully blocked.

This fascinating (to some) account describes

 - how the attack proceeded and
 - what rights were obtained and
 - how both system defects and owner misuse of the system assisted the
attacker.

The detail involved is well outside my level of experience and
competence but I read it all as it is interesting in its own right and
useful in a general sense in showing how a persistent competent attacker
can find ways to infiltrate a complex system


https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/


      Russell McMahon
--
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
Reply | Threaded
Open this post in threaded view
|

Re: [TECH]:: Stack Overflow major security breach - interesting lessons for ANY security dependant system

Harold Hallikainen-3

>
> https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/
>
>
>       Russell McMahon

Thanks for posting that! It IS an interesting read. As systems get more
and more complicated, it is difficult to plug all the holes!

It IS the wild west out there. I block IP addresses after a small number
of failed SSH logins. Today's log shows I blocked 75 in the past day. I
have thousands of IP addresses blocked. Based on these blocked IP
addresses, 194 IP connections were refused today. Some attempted hundreds
of times. I use spamcop and spamhaus to check incoming email. Today 444
out of a total of 472 were blocked.

Finally, whenever there IS a successful SSH login (and they should only be
from me), I gen an email and text message. I use two factor authentication
(text message) whenever I can.

Harold



--
FCC Rules Updated Daily at http://www.hallikainen.com
Not sent from an iPhone.
--
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
Reply | Threaded
Open this post in threaded view
|

Re: [TECH]:: Stack Overflow major security breach - interesting lessons for ANY security dependant system

sergio


On Wed, 27 Jan 2021, Harold Hallikainen wrote:

>
>>
>> https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/
>>
>>
>>       Russell McMahon
>
> Thanks for posting that! It IS an interesting read. As systems get more
> and more complicated, it is difficult to plug all the holes!
>
> It IS the wild west out there. I block IP addresses after a small number
> of failed SSH logins. Today's log shows I blocked 75 in the past day. I
> have thousands of IP addresses blocked. Based on these blocked IP
> addresses, 194 IP connections were refused today. Some attempted hundreds
> of times.

I take a different approach, I block all SSH access via the firewall and
only allow access from select IP addresses. I have a system in place that
allows me to open SSH to a specific IP address from outside the firewall
if I have a need while I am away from home. It uses a web interface.

The web server is also protected from attacks. Specific attacks are dealt
with aggressively and also immediately blocked (via the firewall) whereas
suspicious activity is blocked after multiple attempts.

Since doing things this way the number of attacks has dropped like a
stone.

Regards
Sergio Masci
--
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
Reply | Threaded
Open this post in threaded view
|

Re: [TECH]:: Stack Overflow major security breach - interesting lessons for ANY security dependant system

Alan Pearce
Reminds me a bit of "The Cuckoos Egg".

On epossible download link ...
https://goodfileshare.com/the-cuckoos-egg-pdf/
there are others if that one doesn't suit.


On Thu, 28 Jan 2021 09:58:51 +0000 (GMT)
sergio <[hidden email]> wrote:

>
>
> On Wed, 27 Jan 2021, Harold Hallikainen wrote:
>
> >
> >>
> >> https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/
> >>
> >>
> >>       Russell McMahon
> >
> > Thanks for posting that! It IS an interesting read. As systems get
> > more and more complicated, it is difficult to plug all the holes!
> >
> > It IS the wild west out there. I block IP addresses after a small
> > number of failed SSH logins. Today's log shows I blocked 75 in the
> > past day. I have thousands of IP addresses blocked. Based on these
> > blocked IP addresses, 194 IP connections were refused today. Some
> > attempted hundreds of times.
>
> I take a different approach, I block all SSH access via the firewall
> and only allow access from select IP addresses. I have a system in
> place that allows me to open SSH to a specific IP address from
> outside the firewall if I have a need while I am away from home. It
> uses a web interface.
>
> The web server is also protected from attacks. Specific attacks are
> dealt with aggressively and also immediately blocked (via the
> firewall) whereas suspicious activity is blocked after multiple
> attempts.
>
> Since doing things this way the number of attacks has dropped like a
> stone.
>
> Regards
> Sergio Masci

--
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
Reply | Threaded
Open this post in threaded view
|

Re: [TECH]:: Stack Overflow major security breach - interesting lessons for ANY security dependant system

Neil Cherry-3
In reply to this post by Harold Hallikainen-3
On 1/27/21 11:28 PM, Harold Hallikainen wrote:

> of times. I use spamcop and spamhaus to check incoming email. Today 444
> out of a total of 472 were blocked.

Not quite part of the Stack Overflow issue but my email address gets blocked
way to many times because of issue with both systems lumping the innocent with
the guilty. I do use other email addresses to avoid that but it's annoying. And
yes I know it's an issue in more than one place (aggressive mail check and poor
service provider service).

--
Linux Home Automation         Neil Cherry       [hidden email]
http://www.linuxha.com/                         Main site
http://linuxha.blogspot.com/                    My HA Blog
Author of:     Linux Smart Homes For Dummies
--
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
Reply | Threaded
Open this post in threaded view
|

Re: [TECH]:: Stack Overflow major security breach - interesting lessons for ANY security dependant system

Harold Hallikainen-3

> Not quite part of the Stack Overflow issue but my email address gets
> blocked
> way to many times because of issue with both systems lumping the innocent
> with
> the guilty. I do use other email addresses to avoid that but it's
> annoying. And
> yes I know it's an issue in more than one place (aggressive mail check and
> poor
> service provider service).
>
> --
> Linux Home Automation         Neil Cherry       [hidden email]


That can indeed be an issue. The rented server I uses is in a "bad
neighborhood," so emails directly from it would be blocked. I pay another
company a small annual fee to relay my email, and that works all the time
with one exception. Our local recreation department does not receive
emails from that server. They just seem to disappear (though maybe they
are in a spam folder that no one is looking at). So, I have another rented
hosting service (just web and email, not root access like my main one)
that I use to send email to them.

When on the rare occasion that I get an email bounce, I've been able to
contact the people at the relay server, and they have been able to resolve
the issue. ISPs need to remove spammers so their other customers' emails
do not get blocked.

Thanks for the comment!

Harold



 Updated Daily at http://www.hallikainen.com
Not sent from an iPhone.
--
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist