2.19.12 - Smart Phones / Android Mobile Exploits

Smart Phones are almost everywhere these days and many access school wireless networks.  Like any other computer, smart phones are exploitable and could cause security concerns.

Android devices, according to Symantec, are subject to a trojan that can get instructions from a command and control (C&C) bad guy server and potentially steal confidential information from your Android device and may display a barrage of ads as well. Krebsonsecurity reported on a ZeuS version for android and ThreatPost has a very interesting BotNet article as well.

There are several exploits for Android but the one we are seeing is called Android.Counterclank Command and Control.

** What this means to you **

If your school has open wireless and student/staff smart phones are logging into this wireless network then take measures to deny this open wireless traffic to your school network. In other words, don't allow "open" wireless traffic on your network.

Many schools are supporters of BYOD (bring your own device) technology. That's fine if you have a way to contain that traffic and kill exploits that users bring from home on their devices. Failure to do this can result in your network being attacked.

Currently, over the last 7 days, we've seen Android.CounterClank traffic sourcing from nine (9) NewNet 66 school districts.  The locally infected android devices make a request to the bad guy servers (Command & Control) then the bad guys try to send commands to the infected android devices.  NewNet 66 is stopping this traffic at the head end of our network via our Next Generation PaloAlto Firewall.   

NewNet 66 will be watching closely for mobile phone attacks and provide additional details as they become available.  While there are not many Android or other smart phone events at this time we do expect exploit numbers to grow. In the mean time we would strongly suggest you deny your open wireless traffic from entering your school network.

The chart at right notes a 7 day report showing C&C traffic to android devices on school networks.

It is important to understand that the android device made the request to the C&C server and the NewNet 66 PaloAlto Firewall blocked the response traffic.

2.11.12 - Attackers We Deny (The Bad Guys)

We are often asked "who is attacking our school and why." The who is pretty easy to obtain, the why is likely all about money. Let's focus on the who for now.

Below is a 12 hour snap shot of bad guy IP addresses we have seen attacking the NewNet 66 network in the past. In short, the source IPs are known attackers thus we add them to a rule in our PaloAlto firewall denying them access to our network. The first IP tried to gain access to the NewNet 66 network 9,600 times. That's 800 attempts per hour. Note the Destination port 1433 which is a common Microsoft Server SQL port.

45,997 attacks on this list were denied so there is a good level of comfort for NewNet 66 school districts knowing attackers are being stopped at the door before they get to you.

2.10.12 - Streaming Applications (recreational apps)

Many school districts are voicing concerns about not being able to post on line grades due to slow Internet. The question -- why is the Internet slow? While there are many network issues that will cause slow Internet "recreational Internet" tops the list. Recreational applications like streaming music (Pandora and GrooveShark for example) might be part of the problem.

Below is a list of Streamed applications for a 4 day period. This list represents all NewNet 66 School Districts combined. * denotes applications which we consider to be recreational. Byte traffic is in "G" Gigabytes and "M" Megabytes. Sessions are in thousands.

1.23.12 - Countries Your Users Visit.

Watching outbound traffic sourcing from NewNet 66 school districts presents some questions.

The screen capture below represents traffic by country and only traffic coming from NewNet 66 schools destined for the Internet. The time frame is 24 hours from Sunday 0600 to Monday 0600 when school is not in session.

One must ask the question, "why is traffic going to the Netherlands, European Union, and others?"

Certainly some of this traffic is spyware trying to phone home or it could be users on a Sunday afternoon at school visiting countries outside the domestic US. Either way, this is a lot of traffic leaving the domestic US.

M = Millions
K = Thousands

1.8.12 - Regions of the world that attack.

In late December we noted in our web log a 15 minute snap shot of attacking countries. Today we note a 1 hour snap shot (60 minutes) of attacking countries on 1.8.12. The attacks total 122,552 or just over 2,000 per minute.

The numbers provide a glimpse of how much traffic the bad guys generate.

It is important to remember the bad guys only have to get it right once. You have to get it right all the time with no mistakes.

12.30.11 - 15 Minutes ; Happy New Year from the Bad Guys.

We continue to watch over our network this holiday season noting a significant increase in off shore attacks.

The chart at right is a 15 minute snap shot of bad guy activity attacking our network which is denied by our next generation firewall. The attacks are likely "bots" or PCs that are owned by the bad guys. Total attacks equal 43,492.

Based on this information the following questions arise.

1. What about your home network. Are you up to date on your Antivirus and Software? Do you have a firewall?

2. If you copy files to a thumb drive at your home network which may be infected, then bring the thumb drive to school, what measures are in place to protect the school network?

Update 12.31 0600 - We ran the report again noting 8 more countries joining the attack brigade.