Petros Antakis, Author at Creative People | Quality IT services

Honeypot Ports technique

Petros Antakis — Tue, 29 Oct 2024 07:20:46 +0000

As many of us know, a common initial step for an external attacker to perform target reconnaissance (where target here is our network from the external side) and thus identify entry points and vulnerabilities, is the well-known port-scan.

A port-scan is a process at which, in simple terms, an outsider checks each and every port of our public-facing side of the network (usually our edge firewall or a DMZ host) to see if it is open and what it can serve. This process is performed by various specialized tools (a pretty well-known tool is nmap), which with the proper configuration can yield valuable results from some not so well-attended network targets.

Daily I can see in the firewall logs various attempts from multiple sources to connect to ports that are not common and no-one would expect a service to be active; this smells like a port-scan.

Such events have significantly increased since the pandemic, where remote working became a norm. A very common way for remote workers to connect to the office is via Remote Desktop services. Many admins (depending on the network equipment at hand) turned to the port-mapping approach, by using non-standard high ports that map to individual PCs in the office. Attackers know that, so as a means to find those precious RDP ports they select the port-scan technique. Most cases like this are fully automated; the attacker feeds his tools with target IP lists and lets it run until something useful comes up. It’s like hunting by using traps. While the port-scan is running, the firewall of the target network has to do work, as well. Imagine if someone comes and knocks on your door and you have to answer if he can come in or not. Now take into account that you have 65535 ports. That is a lot of work!

So, someone that is not so friendly, should be stopped at a relatively early stage and be discouraged to continue with his wrong-doing. Essentially, you would want to “blacklist” this source and prevent at that point and onward any connections from or to this host. However, it is physically impossible to sit in front of your computer 24-7 just to monitor the connections and deduce which sources need to be blacklisted or not.

A very helpful and low-cost technique to blacklist such threat actors is to select some really uncommon ports (not the ones you run your services on) and add some monitoring rules that wait for connections. If someone tries to connect to those ports then (s)he is your guy. Usually, a quite low-budget or open source firewall has this ability to tag or add the source IP addresses to a list that can be processed later with other firewall rules (eg. if an IP is in this list, drop the packets). Those decoy or “honeypot” ports should be carefully selected though, as we would not want to accidentally blacklist actually needed traffic.

I hope this helps some of you, but rest assured there are many more monsters out there…

[Disclaimer: This article was not written with AI support, so excuse any grammatical errors]

The post Honeypot Ports technique appeared first on Creative People | Quality IT services.

How the selection of the tool to be used in a specific problem can lead to glorious success or catastrophic failure

Petros Antakis — Thu, 08 Oct 2020 07:12:26 +0000

Some days ago this article from BBC fell into my attention (https://www.bbc.com/news/uk-54422505), which explains how data of positive identified COVID-19 infections, in Britain, were lost into oblivion, due to the fact that the format of “.xls” was used to gather the data. Don’t get me wrong here, this article is not a roast for the “.xls” format.

Let me get into details on what happened in this case. The Public Health England (PHE) was gathering the result logs of the COVID-19 swab tests performed by commercial firms in a text format. The PHE developers had set-up an automated procedure to import those logs in a Microsoft Excel template, in order to later on post those records to a central database for the various government experts and organizations to have access and process the data. The problem is, that the PHE developers used the “.xls” format. One could say “what is wrong with that? I ‘ve been working with .xls files my entire life and never had a problem.” Well, I tend to agree, but things are more technical here, than it is just all Excel files “.xls” or “.xlsx”. That little “x” in the end makes all the difference. The “.xls” format is the default format used in Excel versions 97 up to 2003. The .xlsx format was introduced in Excel versions 2007 and is the default format until now. Apart from the low-level differences of the .xls being a binary file and the .xlsx being in its core a text file in XML format, the key difference that caused our big problem here is the actual limitations of the .xls format. The older standard has a limit of 65,536 rows, whereas the .xlsx format has a nominal limitation of 1,048,576, which in our case is a big difference. For the most people working with Excel Spreadsheets the above limits do not mean much. But when we are talking about data collected from an entire country, this is another story. So, what actually happened, is that when the files were reaching their limits, no more data could be read in. This resulted in 15,841 cases between 25 September and 2 October to be left out of the overall procedure of posting and processing. The data were not entirely lost, as they could be re-inserted after checking which were missing. The problem is -in such cases when we are dealing with the spread of a pandemic- that the data are time-critical. It is of utmost importance to have the data available at the time that they are useful (eg. same day) and thus figure out after the epidemiologists process, what are the spread rates and what measures should be taken.

The problem that we want to stress out here, is not that the .xls format is flawed and should be banned for life, but as every tool (electronic or physical), it is not suited for all the cases. People tend to use what they know better, even for cases that it is not the best selection or in many cases the second from worst. Yes, you can tighten a screw with a knife, but the torque applied, is merely a fraction of the torque of a screwdriver and if we are talking about security, that screw will fall-off on the road and someone might eventually get hurt. In many cases the selection of the right tool might demand a time-consuming research, but depending on the seriousness of the project it is worth the cost. If the PHE developers had taken the extra time and effort to craft a different method for performing the same task, such a serious problem would have been avoided. In greek, there is a saying that goes roughly like “Better secure the donkey, than go looking for it afterwards”, which applies to many things in life and perhaps in the most cases where IT projects and Software developing is involved. If you invest more in the design phase you will worry much less in the debugging phase.

So, there is no need to rush into the implementation of the first solution that comes to mind. Ask yourself some questions before deciding: “Are there any problems with this solution? Are there any limitations? Do these limitations apply in my case?”. Then you can make a so-called informed decision of which action to take.

The post How the selection of the tool to be used in a specific problem can lead to glorious success or catastrophic failure appeared first on Creative People | Quality IT services.

The chatbots rise

Chrysostomos Psaroudakis Petros Antakis — Thu, 21 May 2020 12:51:55 +0000

The chatbots rise

As Covid19 forces call center employees abandon their positions, chatbots march in to replace them.

Tried to speak with one of those in a known telecom provider and spent around 4 minutes testing its nerves. I won, it finally told me “please contact our support at XXXX telephone number”. I will not say I am happy about that, as it appears to be that AI is a bit far away from replacing humans, but the truth is that call centers incorporate cheap or not well trained (algorithm) chatbots.

At least before Covid19 outbreak AI chatbots were rather an exotic technology, found mostly in EU funded RnD Programs, whose primary objective was to deal with automated tasks and not necessarily to engage in conversations with humans.

My first encounter with an AI chatbot was back in 1997. His/her name was “Hal”, made by Zabaware. I’m very happy to see that the Hal project still exists and is still learning (till 2017) as stated on the manufacturer’s website .

Brain Stats: As of Wednesday, November 1, 2017 Hal’s knowledge is based on information learned from: 26,207,131 sentences from 4,624,848 conversations with 1,614,639 people.

Hal is like a child, capable of learning new things by statistically analyzing past conversations using language processing. At the time, the system analyzes hundreds of thousands of conversations publicly available on social networks like Twitter and Facebook every day. These conversations, along with conversations the system has with its users, get assimilated into a large conversational database that becomes his knowledge base. Having a conversation with Hal is like having a conversation with the “collective consciousness” of the Internet. Hal’s personality reflects humanity and it’s really fascinating how he/she responds to general questions.

As the coronavirus crisis has dragged on, understaffed organizations have all scrambled to set up similar systems for handling a new influx of calls. IBM saw a 40% increase in traffic to Watson Assistant from February to April of this year. In April, Google also launched the Rapid Response Virtual Agent, a special version of its Contact Center AI, and lowered the price of its service in response to client demand.

While call centers have long been a frontier of workplace automation, the pandemic has accelerated the process. Organizations under pressure are more willing to try new tools. AI firms keen to take advantage are sweetening the incentives. Over the last few years, advances in natural-language processing have also dramatically improved on the clunky automated call systems of the past. The newest generation of chatbots and voice-based agents are easier to build, faster to deploy, and more responsive to user inquiries. Once adopted and as AI algorithms get more and more “intelligent”, these systems will be here to stay, proving their value through their ease of use and affordability.

Is Skynet on his way? Maybe…

The post The chatbots rise appeared first on Creative People | Quality IT services.

Pyboard Just received ?

Petros Antakis — Thu, 09 Jan 2020 10:15:27 +0000

We are excited to receive this little fellow just now.

It’s a Pyboard D-series with WiFi and Bluetooth. This pyboard is a low-power microcontroller module that runs MicroPython. This particular model (SF3W) has a 216MHz CPU, 256k RAM, built-in high-speed USB PHY and integrated WiFi/Bluetooth capabilities.

The concept of D-series pyboards is to use as both a standalone board or an embedded component in final products. MicroPython runs bare metal on the pyboard, and essentially gives you a Python operating system. The built-in pyb and machine modules contain functions and classes to control the peripherals available on the board, such as UART, I2C, SPI, ADC and DAC.

Let’s put some code there!

The post Pyboard Just received ? appeared first on Creative People | Quality IT services.

DEFENCO ACRITAS

Chrysostomos Psaroudakis Petros Antakis — Fri, 05 Feb 2016 19:41:00 +0000

ACRITAS project created an integrated joint border management system. Can be rapidly deployed in inaccessible and remote areas by providing multi-functional surveillance capabilities, useful processed information and innovative services to regional and national authorities. The ACRITAS project developed a highly technically innovative and modular solution to meet regional and national needs of border surveillance. Scalability, ease of transport, use, and adaptability are considered the most important characteristics of the system. The system is focused on autonomy and completeness as a functional regional command and control center (RCC).

The post DEFENCO ACRITAS appeared first on Creative People | Quality IT services.

HOW TO: WD Sharespace RAID 5 Data Recovery and some handy notes on this device.

Chrysostomos Psaroudakis Petros Antakis — Wed, 16 Jan 2013 16:49:00 +0000

I came up on a Failed Raid5 in a WD SHARESPACE, some time ago.

Apparently one the drives had failed (No. 3 in chain, according to WD inside device numbering).

I carefully read many posts/articles in the WD forum and the most valuable -I must admit- it was the following:

http://community.wdc.com/t5/WD-ShareSpace/HOWTO-Sharespace-RAID-5-Data-Recovery/td-p/287736

Posted by dudemanbubba

God bless this guy!

Unfortunately not all of this managed to help, since when you are in the process of mounting the Raid in Linux, most of the time you won’t be able to mount it. I assume that, this is because the order of the drives was not correct, in my case.

Anyhow I tried to find another way to do it, since I strongly believe, that loosing data from a RAID 5 is almost impossible!

A few notes to stick on, before trying to do anything else:

Always use a UPS when using such devices, power supply failures may lead to loss of data and unpleasant situations in general.
Do not put another HDD, even another WD HDD, as long as you have the WD official firmware!!!!
The device is NOT A HOT PLUG device!!!! Always shutdown prior to removing/putting HDDs.
Remove the faulty HDD, package according to WD support in RMA procedures, ship to Germany and wait for the replacement.- DO NOT PUT ANOTHER DRIVE TYPE.
After you receive the replacement Hard drive, shutdown the device and put the drive you received. Power up and check whether the RAID is rebuilding.
The WD rebuilding process will take around 16-18 hours, so be patient. Have a coffee or a nap, try a long one. Don’t be frustrated if the result of the process is failure. There are ways to get the data back.

The process that I am going to describe below takes around 5 days. Read all first, make a checklist of what you have and what you need and be patient. I’m sure that there may be other faster ways but none I tried did the job. For the walkthrough below you will need:

A desktop- no gigabyte motherboard! Windows Installed

A good PSU, at least 500Watt cause too many HDDs and devices will need to work hard, a ups would be a good thing to have

A sata controller with 3+ SATA slots
An external USB HDD with capacity enough to store the data you are about to restore.
Free Software: ReclaiMe Free RAID Recovery. You need this in order to determine the exact RAID configuration of your device. I suggest not overcoming this part, by using my RAID info below, since this may be different in other firmwares.
Cheap and Life Saving Software: Zero Assumption Recovery version 9

The following is my walkthrough in saving my customer’s data, using a windows machine.

Do not use a pc with Gigabyte motherboard. The one I used appeared to have an issue with 1 TB drives and damaged the disks’ size info. I had to go on using other tools in order to restore the correct disk size (I used HDD capacity Restore).
I put the HDDs, no specific order on a pci (pci-xpress) sata controller. In my case that was a new RAID0/1 sata controller, but a simple would do the job. I should note that I put only 3 out of 4 HDDs, since the new I received from WD was brand new and putting him on would just delay the process.
DO NOT CONFIGURE your sata controller for RAID!!!! This way you will just see the Hard drives in your device manager. DO NOT INITIATE THE HDDS, since this will damage the data on them.

I downloaded ReclaiMe Free RAID Recovery. I used this application in order to determine the RAID characteristics. After the process I had all the necessary info for continuing with the recovery process. Copy-paste and save the outcome in a notepad file. It includes instructions, for your next steps. Mine looked like below (USE YOUR OUTCOME-NOT MINE!!! Cause the Array members Table/Start size may differ).

These instructions are provided for Zero Assumption Recovery starting with version 9 build 38

1. Launch Zero Assumption Recovery

2. Click “Data Recovery for Windows and Linux. This is OK because we’ve already done the RAID reconstruction.

3. Right click anywhere in the disk list, select “Define RAID manually”.

4. From the “Available drives” list, select “Disk 2 – WDC WD10 EARS-00MVWB0”, then click “Add”.

5. From the “Available drives” list, select “Disk 1 – WDC WD10 EARS-00MVWB0”, then click “Add”.

6. From the “Available drives” list, select “Disk 3 – WDC WD10 EARS-00MVWB0”, then click “Add”.

7. Next to the “Array members” table, click “Add parity”.

8. From the “Array members” table, select the last entry (ID 0500). Click “Move up” 3 times. Verify that the parity drive (ID 0500) is at the row 1 (the top row is number 1).

9. On the right side under “Array configuration”, set “RAID type” to “RAID5 (MS/LDM)”.

10. Below that, set “Stripe size” to “128 sectors”.

11. Below that, set “Parity start/rotation” to 3/3.

12. In the “Array members” table, enter “48,1953523055” as “Start, Size” in all rows.

13. Set “Parity delay, stripes” to 1.

14. Set “Stripes in first delayed block” to 1.

15. Click “OK”. The warning message may appear stating that “Starting sectors and sizes are incorrect”. Click “OK” to dismiss the message box, then click “OK” on the manual RAID setup form again to close the form. This is the expected behavior.

16. In the device list, “Virtual RAID #0” is the newly created RAID. Double click it to start recovery.

Generated by ReclaiMe Free RAID Recovery build 889, www.FreeRaidRecovery.com

The above process took me about 2 days on Windows 7×64 with 2GB RAM and a P4@3GHz.

After that I simply went on.

Attached a usb to sata external Hard drive.

Downloaded Zero Assumption Recovery version 9 and proceeded with the above saved notes from the ReclaiMe Free RAID Recovery. Started the restore process, guided by the applications GUI, it is very easy to use.

2 days passed and all the data were restored in the external drive.

Ok we saved the data, now what about the WD sharespace?

I had plenty of time to jungle around with the device, while the process of recovery was on the run. A few notes that I should make are below:

You will never-ever see the web management interface of the device if the device boots up without HDDs.
If the http://IP fails, try if https://IP works.
The device always responds in ping on the 192.168.1.2, but it is not manageable if no HDDs are present. No telnet as well.

In order to have a successful reset to defaults you have to put ZERO filled HDDs on it. Therefore after the restore process I endorse you to zero fill the drives and then put back to WD sharespace.

You can do that by using the Free Western Digital Data Lifeguard Diagnostics. This is needed because while the WD boots it searches for its configuration on the HDDs. If no configuration is found, or if another configuration is present -different from the one that the device is able to handle- then it simply does not boot. You may just see 192.168.1.2 on your network, but no tool WD tool, or web interface will serve your configuration needs.

Western Digital and all HDD manufacturers can at no case be held responsible for any data loss. Therefore the only thing you can do is open an RMA request for the faulty device and send it over, after saving your data in another HDD.

Wow…that was close….

Special thanks to Peter Antakis for his support!!!

Creativepeople.gr

The post HOW TO: WD Sharespace RAID 5 Data Recovery and some handy notes on this device. appeared first on Creative People | Quality IT services.

Marvel Yukon Ethernet Card connected to 3Com or HP switch

Chrysostomos Psaroudakis Petros Antakis — Sun, 20 Feb 2011 11:35:00 +0000

It’s been a long time since we had issues in group policy pushing to clients, running XP, Vista orWindows 7.Those issues were NOT found on all machines in our network/client networks. For more than one year we understood that something was wrong. Too many “usernev” (event id 1053 and 1052) error events in the event logs and generally latencies in network traffic. See more in http://www.eventid.net/display.asp?eventid=1053&eventno=1584&source=Userenv&phase=1

In the beginning we thought that this was due to issues of windows XP connected to w2k3 DCs over 1000 Mbit networks as Microsoft itself admits and released some fix ups. Anyway it was late December 2010 that we faced the same issue in a customer having a 100 Mbit network over an HP managed 100 Mbit Switch.Same issue but no gigabit….

In February the 15th 2011, we finished up some changes in our 1000Mbit network. New cat6e cabling, no intermediate switches and fully virtualized environment for all our servers. All workstations are now directly connected to our 3COM family switches. Right after this major change I personally saw eventID 1052 and 1053 in my Windows 7 Ultimate event log. I use a Sony Vaio VGN-NR21S/S which features a Marvel Yukon ethernet 10/100 Mbit card. As you may understand as an administrator I cannot stick to problems referring to solutions such as “contact your system administrator”…I should always ask myself :p????… I tried updating my drivers directly from Marvel Yukon web site….nothing. No change, still no correct group policy appliance, pings to local area network destinations timing out out of the blue – with no reason- and other network issues coming up every now and then.

We remembered that another client in our network experienced the same problem…such as the client with the 100 Mbit Lan mentioned above.

Appears to be a lucky guess. I visited the colleague’s office where we faced the this same problem, with a Realtek Chip enabled NIC in my hand. I check his nic brand….and got ya!!!! Marvel Yukon!. It is an on-board card, so I fire up the bios. We disable the on-board nic and put another PCI 10/100/1000 Mbit NIC that I had with me. Worked like a charm!!!

What about me now…I have a laptop, not a workstation….I put a smaller uplinked switch to the 3COM and immediately all problems were solved… Apparently, prior to the change in our cablings all IT Workstations were on a smaller switch uplinked to our 3COM switch family. So till that time I had not faced a problem like this. The colleague having the issue was directly connected to the master 3COM switches.

We made a crazy thought…what about the client with the HP switch? Bingo…2 servers and 3 clients having Marvel Yukon onboard cards…but this time on an HP 100 Mbit switch…We changed all 5 NICs and everything worked better than expected. Faster downloads, faster copying to NAS, successful group policy appliances and so on.

Are we missing a point here? Either it is a problem of Marvel Yukon itself, either it is combination problem resulted from Marvel Yukon connections to 3COM or HP business series switches. Actually HP has acquired 3COM a couple of years ago and I guess HP just puts its brand on switches rather than producing them itself.

I don’t know the solution to the problem since no network drivers changes, or switches firmware upgrades solved the problem.

At the time I cannot spend more time researching this, since I am into deep with some projects but I just know….DON’T USE MARVEL YUKON NICS WITH HP OR 3COM SWITCHES.

….once again loosing our hair in the name of technology everyday….fortunately I have a lot left and a lot of years to serve my job.

Good luck!

PS. If anyone has an idea why this happens, is more than welcome to post below 🙂

Special Thanks to PA

Creativepeople.gr

The post Marvel Yukon Ethernet Card connected to 3Com or HP switch appeared first on Creative People | Quality IT services.

CBL blacklists my Datacenter IPs every day for almost 3 months.

Chrysostomos Psaroudakis Petros Antakis — Sun, 20 Feb 2011 11:34:00 +0000

There are many times in this job, that I managed not to cry….There are several others that I said….I quit, I can’t stand it no more….but it’s the IT virus inside us that makes us keep on doing this job with a smile of self-fulfillment on every success.

This particular problem started early December 2010 and we were over it till the 21^st of February 2011. We have a quite complicated set of Datacenters, one for inhouse operations and another one stated in another territory outside our headquarters just for services. The public IPs on our services datacenter started being blacklisted in CBL (http://cbl.abuseat.org/) on December 15^th 2010.

Thanks to great Blacklist check tool http://www.mxtoolbox.com/ we were able to monitor changes made to listings and walk us through our checking procedures.

Based on our application services that are: email hosting, DNS hosting, Apache Web Hosting, IIS Web Hosting, VOIP, all behind an array of ISA2004 servers, we started checking what is wrong.

We checked all customers served in-front and servers/clients behind the Firewall set for malware, virus and rootkit like apps that sent out spam. No results capable of producing this listing were found. I should state that every time we saw ourselves listed we went in the process of looking at another issue and delisted our selves accordingly in CBL. We got listed and requested delisting more than 50 times during this period, and as you may know there was the threat of inability to re-delist after so many times. We forced user password changes, stopped services that we didn’t need to, disabled ftps, disabled contact forms on all our websites and waited for google to expire its cache on them, checked robots for all sites –one by one, double-checked our DNS spf records on all domains hosted, checked EVERYTHING!!! Some of the servers where rebuilt in just a few hours, routers where changed, hell knows what we did not test.

It took us that long cause we had to make changes, check logs and Mxtoolbox and wait. We finally found out that every one or two days after the delisting we were relisted in CBL AGAIN! Just image how frustrating this was.

Actually if RTFM (Read the f@@@@ing manual) worked better, as we ITs tend to not read, we would have faster understood that all this was JUST a matter of a proxy. CBL clearly states this in its FAQ, however I believe they should somehow let you contact them and ask for a log stating the particular incidents occurring and resulting the listing, just in order to understand about timings between your checks and compare them with your own logs…No contact link is still available on their website, and every mail submitting I tried did not reach anyone (My mails where from other IPs, not the ones blasklisted, therefore should be accepted).

In order to make a long story short. The actual problem was quite similar to another guy’s post in the following url

http://www.howtoforge.com/forums/showthread.php?t=49452

This God sent guy refers to a continuous CBL listing due to lunix server he had. This gave me the idea to start looking for an open proxy in our Elastix servers. Bingo!!! There was one elastix PBX server left as a virtual machine on our HYPERV with 2 nics (one on a standalone intranet and one on the extranet). Since we had not done any modifications to it, and no ports where addressed to it through firewall and routers and it was just for testing purposes we never installed a firewall on it! HOW STUPID of mine. Note that all the rest production servers were fully protected during this period, but not THIS ONE! Apparently even without any port publishing on him the little bastard managed to open a web proxy….and that was just the start. So we thought that some clever spammers started using him for their purposes resulting the CBL blacklisting. So we left him as it was for a couple of days while we checked apache logs and my mail logs (mail.err, mail.info, mail.log). Nothing AGAIN, but still relisting!!!

I was frustrated once again, but somehow convinced that all this came from this.

Took the vhd to labs and started checking again, and again. During another installation, i forgot to give a name to the server, so the hostname was: myprovider.com instead of the correct one.

So I Edited /etc/postfix/main.cf, and add/edit this line:
relayhost = my.server.comThen restart the postfix service:
# /etc/init.d/postfix restart

After stopping the Virtual PC –voila…not blacklisted in CBL!!!

What does not make sense to me is that CBL says it does not count over phishing. According to them, they use their own spam traps to hunt down spam sending IPs. So if it was not that, what was it? I still have the vhd in my labs and try to understand what is wrong with it by using the netstat -tap command. I guess I will know soon, if this small testing environment was hacked, but if it was hacked –how???? We never published it. It’s only connection to the web was to get updates through the FreePbx environment, nothing else!!! I will not stop this virtual pc unless I find out why….

The good outcome of this is that it made us study really hard about processes, procedures and email spam checks that in another case we would have not….Knowledge is power! So next time I will read more carefully what FAQs say, the problem is that you always need time and it is always against you.

Special Thanks to Peter Antakis.

Creativepeople.gr

The post CBL blacklists my Datacenter IPs every day for almost 3 months. appeared first on Creative People | Quality IT services.