Category

Security

The PYPI Python Package Hack

By Security, ToolsNo Comments

There is a brand new hack out there that has very quietly affected many of people.  Malicious developers uploaded slightly misspelled library names in Python’s package installer PyPi. Prominent examples include urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code. It is very similar to what happens when you type in https://cnnn.com/ vs. https://cnn.com/

Reference  You can read a pretty good discussion here: https://news.ycombinator.com/item?id=15256121

What does PyPi do exactly?

PyPi (Python Package Index)  is a repository of software for the Python programming language. There are currently 117,189 packages installed that users can download. It is the default repository for python developers around the world. If you want to install a common library, you use a special tool called pip, which knows how to pull files down from the PyPi.

What can you do about it?

1. Run this simple one-page python code to check for bad packages. Ref: https://github.com/williamforbes/pypi_hacked_names

The output will look something like this in verbose mode.

pypi hacked list

Output from https://github.com/williamforbes/pypi_hacked_names

2. if you don’t have any of the bad packages, then there is no problem.  However, make sure you review all of your virtual environments and run the same script.

3. If you do have a potentially compromised library, don’t use pip uninstall as it runs code in the package. Just go to the directory and delete the package.

That’s it! This is a very insidious attack. Will keep tracking this at PyPi to see if we can help protect users.

What should you do when your IIS server is hacked?

By Security, Tips & TutorialsNo Comments

Maryland Government Site Hacked By ISIS

On July 25th, 2017 multiple government sites were hacked by friends of ISIS according to Bloomberg’s Mark Niquette. It turns out that Maryland’s Howard County Website server was hacked.  The site was running IIS and had some critical vulnerabilities that were exploited. Ref: https://www.howardcountymd.gov/

screen-shot-2017-06-25-at-5-49-47-pm

First Things First… Don’t Blame Your Team

Your site was hacked.  The first thing you naturally want to do is get angry.  We agree with you that you should be angry, but not at your IT staff. The actors taking your site down are making your life difficult and have every tool in the world available to them. The deck is stacked against your in-house team who have to juggle multiple issues, including the side job of training to maintain a cutting-edge cyber defensive capability on a limited budget.    The “hackers” of the world that are running scripts to break into your computer 24/7, looking for any vulnerabilities that could creep up over time.  Don’t blame your IT staff!

Move Fast

The first thing you should do is re-route your domain to a safe domain, like the fail whale. For more about the fail whale, please see this.

fail_whale

The Famous Fail Whale – What you show when your website is down

With a temporary down page on display, you aren’t promoting ISIS’s propaganda, and you are free to get your site back online. Your other option is just to kill the DNS name complete or shut the server down.  This is exactly what Howard County did.

screen-shot-2017-06-25-at-6-05-35-pm

Restore

Hopefully, you have a decent recovery system in place and can restore your site from a previous backup.  We recommend a full server rebuild (or imaged) and then reload your content. It starts with a clean server, with a trusted OS configuration, loading IIS, and then your content.

Inspect

Review your logs to see if you can see how people are accessing your site.  We recommend publishing your IIS logs to an offsite file storage location as the records are created so you can see how potential hackers are entering your site and what commands they are running.

Open Ports

Also, review your firewalls and look to see what ports you have open. There is a chance that you left a port open that could be bottled up. You should only have 443 and 80.  All HTTP traffic should be forwarded to https.

Plan

The best way you can solve this problem is by building up your infrastructure enough so you could throw it away and restart in a few minutes.  Hacking happens, so you should plan for the inevitable.  Your solution should include building out a separate database from your CMS solution, a decoupled server, backed up file content, and of course a separate copy of your code on a server.  Your downtime should be in minutes, not hours or days.

Outsource

Get this off of your plate.  Many hosting providers and service companies can handle your website extremely efficiently and at scale.  Website hosting is a commodity and should be framed out to keep your team focused on what it does best, like providing incredibly helpful information to your clients. Sites like liquidweb.com  or azure.microsoft.com can take a huge burden off your team.