OrcaAlso known as EspressosaurusWrexRegistered Userregular
Welp, I've been safe for in excess of 10 years, but AT&T just fired off an email saying that I've been detected connecting to an IRC server associated with botnets. Joy. And all my scans thus far have come up naught, so I don't even know which one of my 4 computers it is.
Or if it's just AT&T being pissy because I use Efnet.
All the info they gave was a single time. No server(s) connected to, no ports, nothing that might at least narrow down which possible nasties it might be...or if it's just a false alarm.
I really don't want to have to reload 4 machines. -_-
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited September 2011
edit: double post hooo!
Orca on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Welp, I've been safe for in excess of 10 years, but AT&T just fired off an email saying that I've been detected connecting to an IRC server associated with botnets. Joy. And all my scans thus far have come up naught, so I don't even know which one of my 4 computers it is.
Or if it's just AT&T being pissy because I use Efnet.
All the info they gave was a single time. No server(s) connected to, no ports, nothing that might at least narrow down which possible nasties it might be...or if it's just a false alarm.
I really don't want to have to reload 4 machines. -_-
Ooof. That's a royal pain. What've you been using to scan, if I can ask? I'd do sweeps with TDSSKiller and Hitman Pro to begin with, and think about using a Linux LiveCD or other Rescue CD as well to scan each machine in turn. Otherwise, you might get away with monitoring your router to see if there's any traffic heading toward IRC servers you're unfamiliar with? I don't know the specifics of how to do that, but I know it's possible. I'd assume that running a netstat check on each machine would be fruitless in the event of an actual infection, as the nasty would probably mask open ports. The final thing to do might be to call up AT&T and get more information, like the IP address of the IRC network they're worried about. Then you could see if it is just them getting pissy about connecting to EFNet. But in all honesty, reformatting and reloading four computers might be an easier task than dealing with AT&T tech support.
That's a really awful way to tell someone they're infected, too. IRC traffic is very ambiguous, and not at all a definitive indicator, if you're someone who frequents IRC. Methinks maybe someone at AT&T has been watching too much CSI.
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I've used MSE and MalwareBytes so far, so Hitman et al. I'll have to do next.
And I already tried to get info from them. It took about an hour before they finally came out and said more or less "I have no further info for you". Great! You useless sods. :P
Give TDSSkiller a shot, but it's format time I'd say.
Xeddicus on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited September 2011
Had a bit of a heart-stopper this morning when logging out of GMail started to redirect me to a "blocked content" page. Thought for sure I'd been hijacked, until I remembered that I specifically blocked all no-HTPPS versions of GMail quite some time ago, to encourage me to only use HTTPS. I guess they've recently changed things so that logging out spits you to http /www.google.com/mail/help/somethingorother, rather than the secure login page like it used to.
The reason I mention it is that before I realized what had happened, I gave myself a quick once-over with Hitman and TDSSKiller. TDSSKiller looks to have gotten a nice little upgrade recently, including some new scanning methods. So everyone be sure to use the additional scanning options when searching for the nasties.
Also, Shroud, if you've been hit with a rootkit I fear the malware apocalypse is upon us. You're one of the most security-minded people I've interacted with on the forums, so that gives me serious pause for thought. I'd echo Xeddicus, though. Drop a train on `em - Reformat for sure. Also, be sure to reset your router firmware if you saw DNS poisoning - TDL4 tries its hardest to worm into routers these days.
TetraNitroCubane on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Well, a few days later (now that I've had the time to sit down and run some scans) and I've turned up zilch. I guess I should just chalk this one up to a false positive of some sort. Or a nontrivial threat that the usual parade of software can't detect.
But I'm still worried.
And I wish AT&T would provide enough information to actually diagnose a threat if they're going to pull this bullshit, because the amount of info they gave me was virtually useless.
I'm looking for some advice with regards to password managers. I need something I can access from multiple PCs and iPhone/iPad support would be good. Even though I do know better I probably only have 5 or 6 passwords for everything I do so am looking for some general advice. I was thinking some sort of encrypted document in DropBox but am clueless. Any help appreciated.
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
KeePass I believe has an android version; there may be an iOS version as well. Synchronization is probably a good idea for backups, but might be less so for security (if you get rooted and your master password is stolen...).
What's the state of cellphone security these days? Other than the obvious problem of losing the blasted things.
There was a thread in this subforum not that long ago about password managers and I picked up LastPass as per quite a few peoples' recommendations.
I paid for a year's premium service (I can't remember how much it was, but it certainly wasn't more than $20) and I couldn't be happier with it. The premium service is required for the LastPass app, which works a treat on Android (dunno about Mango though) and iOS.
I use LastPass to generate all my passwords now and it autofills all my details for me. Honestly I don't think I could go back to not using a password manager now
Norton Power Eraser.
In the last year Symantec has pulled their heads out of their asses. I've gotten a chance to mess around with Norton 2012 and it is silly good. A buddy of mine installed it on his test box and threw in his flash drive from hell, (lots of nasty malware in one quick installation) and it blocked everything. Pretty neat!
On the topic of NPE, I'd been struggling with a unit for the past few days and TDSSkiller kept coming back clean, NPE knocked the infection out first scan.
Fuu on
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Norton not sucking complete ass?
I thought I was on drugs when I saw the flying pigs...
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Believe it or not, Norton's been turning it around since they released Norton 360. They've consistently been gaining ground in most comparative antivirus tests, and they've done a considerable amount of work to reduce bloat. Of course, no one wants to touch their software regardless of that fact. Bring up Norton on a place like Reddit or even Wilders, and you'll get laughed off the internet. Their reputation is stuck in 2000 still.
I'm not familiar with Power Eraser, but that's certainly a fantastic tip. Thanks for the testimonial, Fuu. If I could edit the OP to add that to the tools link, I would. We're always better off with another tool to help us with analysis.
Thirding Lastpass. If you have a .edu email account, you can get six months premium service free. Works with international accounts too (i.e. .edu.<country> - my uni email is like that and I was able to get in.)
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Oh, nice. Does LastPass let you pull your passwords out? I've already attached a shedload of email addresses to sneakemail; I'm not sure I'm comfortable handing my passwords as well out to something I don't have full control over.
Oh, nice. Does LastPass let you pull your passwords out? I've already attached a shedload of email addresses to sneakemail; I'm not sure I'm comfortable handing my passwords as well out to something I don't have full control over.
You can delete stored passwords, if that's what you mean. You can also open a site's page in the "vault" and view the stored password (if that's what you mean :P)
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Thanks for the advice. As far as I can see the only difference between paid and free is the use on your phone? It looks cool, my only real concern is what if they are hacked or go bust...
Last Pass was hacked already this year. They never did divulge exactly how much was lost though they hinted at losing email addresses and master passwords. They supposedly updated their servers and increased the security, but once is too many times for a breach.
No, all anyone maybe got was the encrypted data on Lastpass' servers, and that information is useless without the master passwords. And the Lastpass folks didn't even think the information got out, they just couldn't explain why there was suddenly a lot of outbound traffic one day and decided to err on the side of caution and warn people to change their passwords.
No, all anyone maybe got was the encrypted data on Lastpass' servers, and that information is useless without the master passwords. And the Lastpass folks didn't even think the information got out, they just couldn't explain why there was suddenly a lot of outbound traffic one day and decided to err on the side of caution and warn people to change their passwords.
I only followed the first day when they were being alarmists and paranoid about it. From what I remember they were saying that the master passwords might have been taken but looking back at the news they said they theoretically could be found with the information taken. The CEO apparently ran damage control the next day but it doesn't matter, at best they told the truth and at worst it was spin control to prevent losing customers in droves. Storing all your passwords on a third party site is a bad idea anyway. I don't agree with using any service that can provide a single point of failure outside of my control.
stigweard on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
No, all anyone maybe got was the encrypted data on Lastpass' servers, and that information is useless without the master passwords. And the Lastpass folks didn't even think the information got out, they just couldn't explain why there was suddenly a lot of outbound traffic one day and decided to err on the side of caution and warn people to change their passwords.
I only followed the first day when they were being alarmists and paranoid about it. From what I remember they were saying that the master passwords might have been taken but looking back at the news they said they theoretically could be found with the information taken. The CEO apparently ran damage control the next day but it doesn't matter, at best they told the truth and at worst it was spin control to prevent losing customers in droves. Storing all your passwords on a third party site is a bad idea anyway. I don't agree with using any service that can provide a single point of failure outside of my control.
They basically admitted to taking the most extreme measures possible given the situation, and I don't blame them one bit. It was all going on during the Hack-a-palloza fest right around the great PSN breach, and their quick and honest response was in stark contrast to Sony's handling of their own debacle. I can only imagine they wanted to avoid any potential pitfalls.
I'll admit I have the same feelings about password managers that make me a little distrustful of them. They're a single point of vulnerability. Then again, my head is full of so many passwords currently that it's only a matter of time before I completely lose my mind.
I use the name of the site and a salt, and run them through a memorable algorithm. Gives me a unique password for each site, don't need lastpass or whatever, and all my passwords look like f8w04nc7gakd. I use a different algorithm for different passwords, like my bank one has a unique algorithm too. Works pretty well for me so far.
I use the name of the site and a salt, and run them through a memorable algorithm. Gives me a unique password for each site, don't need lastpass or whatever, and all my passwords look like f8w04nc7gakd. I use a different algorithm for different passwords, like my bank one has a unique algorithm too. Works pretty well for me so far.
I've been doing this for years. After all the breaches this year I had 30+ passwords to change so I got irritated and just went with Last Pass.
“We keep wiping it off, and it keeps coming back,” a source familiar with the network infection told Wired. “We think it’s benign. But we just don’t know.”
WHAT.
Look, guys. If the computer controlling your deadly predator drone has a trojan on it, the payload it delivers is secondary because you shouldn't ever allow the thing it's controlling it off the ground once you discover this fact. How'd it get infected in the first place? Because there's your more serious problem. Additionally, full stop. Abort. Eject. Bail out. Go no further. Don't shrug and say "It's probably harmless!".
The fact that it's not known how it got there in the first place is evidence enough that they don't know exactly what it's doing. Infections like this don't always operate out in the open, and if it keeps 'coming back', then chances are it has a little more control over the afflicted system than just keylogging.
This is probably just a case of the reporting being amped up a bit, and I'm overreacting. But even so, what the hell. Do military types plug any random USB stick they find into sensitive machines, like the FBI used to?
TetraNitroCubane on
0
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
edited October 2011
Yes. Yes they do. I recall they did a study with a bunch of USB keys with a specific "phone home" type payload left in the parks and restaurants around govt. installations and found that something like 80% got pugged into machines with sensitive info within hours.
Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.
“Nothing was ever reported anywhere. They just didn’t think it was important enough,” says a second source involved with operating the Air Force’s networks. “The incentive to share weaknesses is just not there.”
Not even when that weakness hits the robotic weapons that have become the lynchpin for American military operations around the planet.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.
“Nothing was ever reported anywhere. They just didn’t think it was important enough,” says a second source involved with operating the Air Force’s networks. “The incentive to share weaknesses is just not there.”
Not even when that weakness hits the robotic weapons that have become the lynchpin for American military operations around the planet.
I just facepalmed so hard I think I cleared my sinuses. Crimany. What's the logic here? That the infection can't phone home, and so it's harmless? That still seems like an exceptionally bad way to approach the problem. Particularly when the infection is so serious that it can't be cleaned off and they don't know where it's coming from. Yeeeesh.
We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks. We have taken steps to mitigate the activity.
The update goes on to claim that only a small fraction of users were afflicted, and that CC information is safe. Anyone who was compromised will receive an email and be forced to reset their password. SOE users are similarly going to be notified / reset in the event they were compromised.
I don't quite understand the reasoning behind this argument, though: "Given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks." Sounds to me like someone just finally got a hold of the PSN leak from last year, and tried to use the info directly. Everyone was forced to change their passwords, so the only people who'd get hit with this would be those who used the same one after the reset.
More info as it develops, though this sounds like a very minor incident.
Posts
Or if it's just AT&T being pissy because I use Efnet.
All the info they gave was a single time. No server(s) connected to, no ports, nothing that might at least narrow down which possible nasties it might be...or if it's just a false alarm.
I really don't want to have to reload 4 machines. -_-
Ooof. That's a royal pain. What've you been using to scan, if I can ask? I'd do sweeps with TDSSKiller and Hitman Pro to begin with, and think about using a Linux LiveCD or other Rescue CD as well to scan each machine in turn. Otherwise, you might get away with monitoring your router to see if there's any traffic heading toward IRC servers you're unfamiliar with? I don't know the specifics of how to do that, but I know it's possible. I'd assume that running a netstat check on each machine would be fruitless in the event of an actual infection, as the nasty would probably mask open ports. The final thing to do might be to call up AT&T and get more information, like the IP address of the IRC network they're worried about. Then you could see if it is just them getting pissy about connecting to EFNet. But in all honesty, reformatting and reloading four computers might be an easier task than dealing with AT&T tech support.
That's a really awful way to tell someone they're infected, too. IRC traffic is very ambiguous, and not at all a definitive indicator, if you're someone who frequents IRC. Methinks maybe someone at AT&T has been watching too much CSI.
And I already tried to get info from them. It took about an hour before they finally came out and said more or less "I have no further info for you". Great! You useless sods. :P
Edit: Well Hitman found a rootkit.
The reason I mention it is that before I realized what had happened, I gave myself a quick once-over with Hitman and TDSSKiller. TDSSKiller looks to have gotten a nice little upgrade recently, including some new scanning methods. So everyone be sure to use the additional scanning options when searching for the nasties.
Also, Shroud, if you've been hit with a rootkit I fear the malware apocalypse is upon us. You're one of the most security-minded people I've interacted with on the forums, so that gives me serious pause for thought. I'd echo Xeddicus, though. Drop a train on `em - Reformat for sure. Also, be sure to reset your router firmware if you saw DNS poisoning - TDL4 tries its hardest to worm into routers these days.
But I'm still worried.
And I wish AT&T would provide enough information to actually diagnose a threat if they're going to pull this bullshit, because the amount of info they gave me was virtually useless.
What's the state of cellphone security these days? Other than the obvious problem of losing the blasted things.
I paid for a year's premium service (I can't remember how much it was, but it certainly wasn't more than $20) and I couldn't be happier with it. The premium service is required for the LastPass app, which works a treat on Android (dunno about Mango though) and iOS.
I use LastPass to generate all my passwords now and it autofills all my details for me. Honestly I don't think I could go back to not using a password manager now
Holy cow, LastPass should pay me a wage :roll:
Ever tried. Ever failed. No matter. Try again. Fail again. Fail better
bit.ly/2XQM1ke
http://security.symantec.com/nbrt/npe.aspx?
Norton Power Eraser.
In the last year Symantec has pulled their heads out of their asses. I've gotten a chance to mess around with Norton 2012 and it is silly good. A buddy of mine installed it on his test box and threw in his flash drive from hell, (lots of nasty malware in one quick installation) and it blocked everything. Pretty neat!
On the topic of NPE, I'd been struggling with a unit for the past few days and TDSSkiller kept coming back clean, NPE knocked the infection out first scan.
I thought I was on drugs when I saw the flying pigs...
I'm not familiar with Power Eraser, but that's certainly a fantastic tip. Thanks for the testimonial, Fuu. If I could edit the OP to add that to the tools link, I would. We're always better off with another tool to help us with analysis.
You can delete stored passwords, if that's what you mean. You can also open a site's page in the "vault" and view the stored password (if that's what you mean :P)
I only followed the first day when they were being alarmists and paranoid about it. From what I remember they were saying that the master passwords might have been taken but looking back at the news they said they theoretically could be found with the information taken. The CEO apparently ran damage control the next day but it doesn't matter, at best they told the truth and at worst it was spin control to prevent losing customers in droves. Storing all your passwords on a third party site is a bad idea anyway. I don't agree with using any service that can provide a single point of failure outside of my control.
They basically admitted to taking the most extreme measures possible given the situation, and I don't blame them one bit. It was all going on during the Hack-a-palloza fest right around the great PSN breach, and their quick and honest response was in stark contrast to Sony's handling of their own debacle. I can only imagine they wanted to avoid any potential pitfalls.
I'll admit I have the same feelings about password managers that make me a little distrustful of them. They're a single point of vulnerability. Then again, my head is full of so many passwords currently that it's only a matter of time before I completely lose my mind.
People write them down in notebooks unencrypted, so really a thumb drive would be a step up!
These days I'd trust a notebook more than unencrypted files on a thumb drive that's getting plugged into unsanitized computers. :P
I've been doing this for years. After all the breaches this year I had 30+ passwords to change so I got irritated and just went with Last Pass.
Saw this one while catching up on news. Wonder if it is a bios, chipset, trojan mouse style infection.
WHAT.
Look, guys. If the computer controlling your deadly predator drone has a trojan on it, the payload it delivers is secondary because you shouldn't ever allow the thing it's controlling it off the ground once you discover this fact. How'd it get infected in the first place? Because there's your more serious problem. Additionally, full stop. Abort. Eject. Bail out. Go no further. Don't shrug and say "It's probably harmless!".
The fact that it's not known how it got there in the first place is evidence enough that they don't know exactly what it's doing. Infections like this don't always operate out in the open, and if it keeps 'coming back', then chances are it has a little more control over the afflicted system than just keylogging.
This is probably just a case of the reporting being amped up a bit, and I'm overreacting. But even so, what the hell. Do military types plug any random USB stick they find into sensitive machines, like the FBI used to?
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
I just facepalmed so hard I think I cleared my sinuses. Crimany. What's the logic here? That the infection can't phone home, and so it's harmless? That still seems like an exceptionally bad way to approach the problem. Particularly when the infection is so serious that it can't be cleaned off and they don't know where it's coming from. Yeeeesh.
In other news, heads up for all PSN users, via the Official Playstation Blog:
The update goes on to claim that only a small fraction of users were afflicted, and that CC information is safe. Anyone who was compromised will receive an email and be forced to reset their password. SOE users are similarly going to be notified / reset in the event they were compromised.
I don't quite understand the reasoning behind this argument, though: "Given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks." Sounds to me like someone just finally got a hold of the PSN leak from last year, and tried to use the info directly. Everyone was forced to change their passwords, so the only people who'd get hit with this would be those who used the same one after the reset.
More info as it develops, though this sounds like a very minor incident.