|
You and me both!
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
napalm.
Hackers are bad, but we really need to get serious. If you have a system that is mission critical, you need to have a come to Jesus moment right now.
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
We could track down Osama and deal with him appropriately, why not these scumbags?
Get me coffee and no one gets hurt!
|
|
|
|
|
lack of will. Someone with balls needs to make a decision and stick with it. This is why we have dangerous men in the dark that you don't want to meet. Take off the gloves.
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
charlieg wrote: Someone with balls needs to make a decision and stick with it.
The problem is that there are a lot of old women among the men.
charlieg wrote: This is why we have dangerous men that you don't want to meet in the dark.
Sending in armed forces to foreign countries is frowned upon, especially if that country possesses a large army of its own and nukes (as Russia does). I'm told that most intelligence services these days concentrate on electronic intelligence gathering; James Bond (and Felix Leiter) are passé these days.
--
The problem of ransomware will not be solved by brute force; it's too easy for a ransomware gang to move its operation elsewhere. It must be solved by technical means.
One (partial) solution would be separating the internet into a secure and non-secure segments. A protocol should be defined that (a) forces identification of the origin of data in some way, and (b) ensures that recording a transaction would be useless by including a nonce in each packet. Using such a protocol in the interface between the secure internet and the non-secure internet would make it almost impossible to hack the secure internet - you would need the correct hardware device, the current nonce, and the nonce generation algorithm in order to get past the gateway. You could also ensure that security-sensitive operations such as changing the access rights for devices may only be performed from a device physically attached to the secure network, i.e. not via the unsecure network.
This idea would not solve the issue of a crooked employee selling his/her device to criminals, but would make it easy to plug the leak when it is discovered - revoke the access rights of the particular hardware used to access the secure segment.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
There are ways to put pressure on countries that harbor these criminals without the need to send in armed forces. I just feel that we are too soft on countries like Russia from where these scumbags operate with impunity. And yes, you are right. It can be done without armed intervention.
Get me coffee and no one gets hurt!
|
|
|
|
|
I wonder if DOJ will get a recovery fee? Interesting that DOJ/feds have had this ability to 'hack the hackers' and 'follow the money' but are only now using that ability.
They only got away with around $1M. I'd prefer a stronger message for the ransomware gangs.
"Go forth into the source" - Neal Morse
"Hope is contagious"
|
|
|
|
|
Quote: I'd prefer a stronger message for the ransomware gangs
Yup! A MUCH stronger message!
Get me coffee and no one gets hurt!
|
|
|
|
|
Does Pepsi fire employees if they test positive for Coke?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Not sure, let me consult with Dr. Pepper.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
They have their own special health program. Anyone testing negative for artificial additives is fired.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Would Diet Caffeine Free Varieties give a false positive or a false negative?
To err is human to really elephant it up you need a computer
|
|
|
|
|
Just false sweetness.
- I would love to change the world, but they won’t give me the source code.
|
|
|
|
|
There is actually a lot of truth in that joke.
|
|
|
|
|
|
As they've clearly lost their sparkle they'd be fired flat-out.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
I have an old Android tablet past its Best Before date that I only use these days to display my router's real-time bandwidth usage monitor.
Every once in a while, it'll show I have some device downloading something at a steady 2-3mbps, for either minutes or even hours on end. This is not maxing out my bandwidth, but that's at least 10 times the amount of bandwidth being burned when, for example, I have a Teams call (audio) going on with coworkers.
Problem is, I have no idea what device it might be. Ordinarily I'd blame random machines trying to download Windows updates at some (bad) time of their choosing, but all my Windows-based machines (physical + virtual) are part of a domain that has a policy set to get updates from a local WSUS server. So none of them should ever hit the WAN for this. And the patch server is configured so I have to approve updates before they get downloaded.
The router itself seems rather useless at telling me what device is sucking up the most bandwidth. It's running DD-WRT, on a D-Link DIR-859. Obviously, any command I run on a given system will only report what that system knows about, so if I want to identify what's sucking up the bandwidth, it seems to me the way to go about it is to interrogate the router itself. I know enough about MIBs and SNMP to get myself in trouble, but I don't quite see how to go about it.
How would you approach this problem? This doesn't happen in a predictable fashion, so it's not like I can turn everything off and power things back on one device at a time until I start seeing it happen again...
|
|
|
|
|
Wireshark.
Capture the traffic, keep watch on when the abnormal consumption happens and then delve into the log.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
any command I run on a given system will only report what that system knows about
den2k88 wrote: Wireshark.
Can Wireshark report what's going on at the router level, as opposed to just the local system?
|
|
|
|
|
IIRC, it has a "promiscuous mode" in which it listens to anything going on the local segment. If the local segment contains the router, that should give you what you need.
It depends on having a NIC that can be placed into "promiscuous mode", but nowadays that is true of most (all?) NICs.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
It should, otherwise you'd need the wireshark machine between the router and the modem, or a hub between the nodes and the router: hubs don't route packets and while you'd see a significant slowdown of the network you'd be able to see all the traffic.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Some managed switches ( I got an HP 10-100 cheap , but a 1G managed isn't likely cheap ) can be set to run all traffic to your Wireshark machine. Less network holdup than a hub.
How many machines? The "dumb" way, is to look at the blinking lights, and unplug the "hottest" one. That could identify "where" ( not what, and it may not be always the same machine - or the same "leach" ), that could narrow the search.
|
|
|
|
|
Create a bastion host from an old PC between the router and the LAN?
Keep Calm and Carry On
|
|
|
|
|
dandy72 wrote: How would you approach this problem?
Rather than spend a large amount of money you could spend a couple of minutes making a read-only ethernet cable[^]. Simply replace the cable going into your cable modem and then you could capture packets off the read-only end.
The best part of doing it this way is that you can also use a ethernet PHY analyzer for passive signal analysis without interrupting the network.
Best Wishes,
-David Delaune
|
|
|
|
|
I would expect the DD-WRT router to have logging capability that shows source and destination IP's. If that is enabled, I would direct it to send those log entries to a syslog server and write to a file. I have created syslog servers using both <gasp> python and C#. Python is easier for a one time kind of operation. Most of the code has to do with filtering what log entries to keep.
I use a router that has both Wireshark and logging built in. Logging is easier to use if it shows source and destination IP's that you can use with whois. I had to block about 10 outbound IP's (each) in the firewall to stop Amazon streaming and Windows updates. Many of the devices that phone home do so to Amazon AWS, in my limited experience. I did spot (logging in an Asus router) a surveillance camera phoning home to an IP in Tanzania.
For other uses of wireshark, we keep an old hub around for such. You do need to turn on promiscuous mode.
If you can keep your head while those about you are losing theirs, perhaps you don't understand the situation.
|
|
|
|