Automatic Update?
-
Yes it was still 2.1 since I never got the downtime to patch it :( Which I did now….
the WebGUI of the PFsense was available via HTTPs on the OPT1 Interface which is the DMZ.
In the DMZ thare are a couple of WebServer, Lync Frontend and the usual stuff.
The PFsense is also holding a couple of VPN Tunnels to remote Sites and Remote Access for VPN Clients.
And all the Clients have been using OpenVPN without TLS!!! -
You think the hacker hacked his system and patched it to be nice?
Or that the TOR node is made available to be nice? (This on I can believe)
Heartbleed - I didn't even consider that but really I should have.
Unless I'm understanding wrong, you have to update not only the pfsense but also any SSH or Openvpn client accessing it.
Any unpatched server or client makes everything vulnerable. Is this correct?
-
Since I had De-Duplication on in pfBNG my first search only showed that IP in one list, i did a full search for that IP and it is a TOR exit node and listed on more Lists…
grep "^18.239.0." *
Blut_Tor.orig:18.239.0.140
ET_IPrep.orig:18.239.0.140
Greensnow.orig:18.239.0.155
Iblock_TOR.orig:18.239.0.155/32
Infiltrated.orig:18.239.0.140
Snort_BL.orig:18.239.0.140 -
You think the hacker hacked his system and patched it to be nice?
Possibly. That or they're super inept given absolutely no attempts to clear up their tracks - no clearing of logs showing their login and IP, and probably other traces left behind.
-
Yeah - These guys left alot of evidence behind. Pretty sloppy… Barely better than I could do (-:
-
So the prevailing concern at the time was that heartbleed would divulge private key material. Are you saying that you think it divulged the admin password instead?
-
Not sure what others were thinking, but yeah. Credentials seems to be on the menu with heartbleed as well as other memory contents.
http://heartbleed.com has a list of the various impacts and what could be compromised (everything in this case it would seem).
I still wouldn't assume the way in didn't start with a compromised windows machine though.
-
So the prevailing concern at the time was that heartbleed would divulge private key material. Are you saying that you think it divulged the admin password instead?
It divulged contents of memory, which some proved could be used to steal the session cookie if you hit it while an admin is logged in and working with the system. It's potentially possible to get the password if you hit it at the time the admin's submitting the password, though that's harder than getting the session cookie. Lot of possibilities for badness when you can get a system to divulge its memory contents to you.
-
Yeah normally I use my Linux Laptop to administrate the box but sometimes it has to windows.
It almost never has to be Windows if you have an "DoD Lightweight Portable Security" bootable Linux CD handy. DoD came up with the concept for DoD workers to securely access DoD computers from their Windows machines when they kept failing to secure the Windows software. Stick it in, boot it up and you have a minimally functional Linux system that includes the basics. They have a Deluxe version that has more stuff but it is slower to boot and a waste of time unless you need the additional stuff.
http://en.wikipedia.org/wiki/Lightweight_Portable_Security
http://spi.dod.mil/ (site is down from here tonight)
Using another bootable Linux of BSD would also work, the lightest you can find that meets your needs will boot fastest.
Using a USB bootable media will also work and may be faster to boot but it is subject to tampering which is much harder to do to a CD.
I keep a few handy, I hand them out to neighbors and friends with corrupt Windows systems. Good enough until they can find someone to fix their Windows problems and it gets me away from the "please fix my Windows box" sad puppy eyes with near zero effort!
-
