BreachBytes

Kenneth Corbin has been doing an excellent job covering legislation in US Senate regarding data breaches. A new bill has been introduced however two similar bills have already fizzled in the Senate. He notes that 46 states have some form of data breach protection but I see this really as a federal issue as tax payers need uniform protection from data breaches.

For more information check out his latest article and the related stories linked there.

The OSSEC project is one that I have been familiar with for a while but have never had the time or energy to properly evaluate for myself. I even made its installation an option for a lab in a network security tools course I taught but I never had the time to sit down and look carefully at the system.

I started my installation with a Ubuntu 10.4 server that was hosting a Subversion repository and little else. My first step was clicking my way through several links to finally get to the installation instructions I needed. Don’t bother with the Getting Started page; it won’t get you started. Its more of a feature list and overview. The First Steps page is a better place to go. Scroll down to Install It and click on Installation guides page. Finally some instructions!

These are adequate instructions but do not mention that if your system doesn’t have gcc and make it won’t work as the system must be built from source. I found this tutorial for installing OSSEC on Ubuntu 9 and had no further problems completing the install. The OSSEC installation materials could be improved by incorporating some of the additional information found that tutorial.

In most cases OSSEC is deployed on multiple servers within an organization. The system, a Host-based Intrusion Detection System (HIDS), monitors only a single host. In my case I only had one host to monitor so this part of my setup was complete. In a real network setting the system administrators would have to install the software on every server. This is non-trivial for very large networks with diverse server types – many of which will not have the build tools installed to compile the software.

Once I got my new HIDS installed it was time to start the service. A simple shell command starts the HIDS: ‘/var/ossec/bin/ossec-control start’. That was it! Pretty soon after starting the service I started getting email alerts of people trying to log into the machine via ssh connections from obvious account names like root, testing and admin. Here’s an example:

OSSEC HIDS Notification.
2010 Aug 09 17:13:16

Received From: localhost->/var/log/auth.log
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."
Portion of the log(s):

Aug  9 17:13:15 localhost sshd[29833]: Invalid user webadmin from x.x.x.x
Aug  9 17:13:13 localhost sshd[29831]: Invalid user tomcat from x.x.x.x
Aug  9 17:13:11 localhost sshd[29829]: Invalid user samba from x.x.x.x
Aug  9 17:13:09 localhost sshd[29827]: Invalid user office from x.x.x.x
Aug  9 17:13:08 localhost sshd[29825]: Invalid user alias from x.x.x.x
Aug  9 17:13:06 localhost sshd[29822]: Invalid user recruit from x.x.x.x
Aug  9 17:13:04 localhost sshd[29820]: Invalid user sales from x.x.x.x

Next steps

In future posts I will go into installing the web interface and the usability and effectiveness of OSSEC.

We reported on the Heartland Payment Systems data breach back in January 2009 when it was first breaking. The company is just now coming back to profitability after 18+ months trying to recover from a data breach (investigation costs, litigation, settlements, etc) with the backdrop of the terrible economy. Take a look at the 5YR stock price here on Google Finance. You can clearly see that the company bottoms out right after the breach and then has been slowly climbing back ever since.

It seems there are two things that can be taken away from this breach:

1. The costs of recovering from a serious data breach are very high and can drag down an otherwise successful business for very long periods of time
2. A smart company can and will recover from a serious event like a data breach over time

Of course I do not have behind-the-scenes information to offer opinions on these points in this particular case however my personal belief is that smart IT spending on security solutions is worth the money.

A note to readers of this blog:

BreachBytes has been on extended hiatus for the last year plus as I have been focusing on family and settling into my still-new career as a professor teaching Computer Science and Software Engineering at the Milwaukee School of Engineering. Thanks to all that have posted comments in the meantime. I will try to do a better job posting new material and replying to comments as things have settled down a bit.

Thanks again for your interest.

Sincerely,

Ben Uphoff

If you are a Virginia resident there is a chance your medical records are being held hostage by a hacker that breached the Virginia Prescription Monitoring Program. He is demanding $10 million dollars to return the records he deleted when he breached their network. The original report of the breach from Wikileaks can be found here. Excellent coverage can be found in this Washington Post blog as well.