Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Already using Google+? Find us on Google+ for the latest security news.
An article uploaded to Infosec Island the other day got me thinking about RDP, Microsoft's Remote Desktop Protocol.
In the article, Brett Huston, who sells honeypot software, talks about the prevalence of RDP connection attempts seen in his honeynet.
He suggests that the average computer will experience around 50 RDP probes a day - one every half-an-hour - and that the crooks aren't merely looking. If you accept the connection, the guys at the other end will actively try to make use of it.
? A honeypot is a monitored system which aims to attract hackers, seducing them into thinking they've hit paydirt, and thus tricking them into showing their hand, without giving them much - or even anything - of any real value.
Of course, a honeypot only tells you how many people are trying to to connect to what they think is an RDP server, rather than indicating how many actual RDP servers are out there listening directly on the internet. But it's reasonable to assume that regular and systematic attempts to connect imply that there are enough openly-available RDP servers to make it all worthwhile.
With this in mind, I asked my Sydney-based colleague and network security expert Troy Cunningham - who conveniently for me, if not for him, sits within both sight and sound of my desk - what he thought.
Troy runs our free Sophos UTM Home Edition on his own network chez Cunningham, so he kindly offered me the data from his own logs. He'd experienced an average of just under 20 RDP probes per day over the previous month, for a total of 583 connection attempts from 387 different IP numbers in 42 different countries.
That's the level of RDP attention given by the Bad Guys to an Aussie consumer-grade ADSL connection. I can't prove it, but I have to suspect that these figures are at the low end of the scale. In short, if you have a business network, you should expect things to be even worse.
? "Others" include Romania, Iran, Saudi Arabia, Ukraine, Kyrgyzstan, Egypt, Australia and more. These are almost certainly hacked computers used indirectly by the real crooks. That's why security matters: even if you don't think you have anything to protect, you may still end up being part of the problem.
RDP, for those who haven't used it, effectively mirrors the screen and keyboard of a remote system on your local device. Move the mouse in the RDP client, and it moves on the remote system. Pop up a software dialog on the remote system and the screen updates are mirrored on your local desktop. It's almost as good as being right there.
Leaving RDP open to the internet is therefore a little bit like giving a visitor a seat in the corner of your server room and saying, "I'll just leave you here while I go for lunch. Don't touch anything, will you?"
Another reason for hackers to look for RDP servers openly on the internet is that any listening service which lets external, untrusted packets into memory on a potential victim's server can be a handy target for exploits. Microsoft's RDP service has been patched against a couple of high-profile vulnerabilities so far this year, and where exploits are found, crooks are sure to follow.
Don't take risks. If you want to give your techies remote desktop access, let them first connect into your network through a secure VPN tunnel, ideally with two-factor authentication. Then let them RDP from there. Two-factor authentication also raises the bar against stolen or weak passwords.
Follow @duckblog
-
Fancy using the free Sophos UTM Home Edition?
You get web and email filtering, web application security, IPS, VPN and more for up to 50 IP addresses.
Turn that spare PC you have sitting in the corner into a full-on network security appliance!
(Note: registration required.)
Do you think that Windows help file is safe? Think again.
Score one for the little guy. Or gal in this case. 
Labian said Parkour didn’t give MediaFire time to complete its investigation and that he admired the ways in which Parkour was using MediaFire to support her research, according to a copy of the email viewed by Naked Security. 
Does a fingerprint scanner that's widely used on laptops sold by Dell and Sony expose Windows passwords, or not?
Dietz said that ProtectorSuite uses AES encryption to protect stored passwords and that the company would never leave passwords in an unencrypted state in its software – past or present. Should the company find evidence to support Elcomsoft's claims, it will push a patch to customers immediately, Dietz wrote. 
This Chet Chat is the last one from our summer hiatus and features Peter Szabo and I discussing a few more of our favorite talks from Black Hat and DEF CON 2012.
Back in February, a SophosLabs researcher Vanja Svajcer discussed how he had discovered a malicious link on Facebook that led to malware being downloaded onto his Android smartphone.
PhonepayPlus has ordered Connect Ltd to pay a fine of £50,000 and refund - within three months - all consumers who used the service, whether or not they have claimed a refund.
Online scammers are using a recent email from Microsoft as bait in a widespread spam campaign that exploits vulnerabilities in Oracle’s Java software to install malicious programs on vulnerable systems.
The malicious websites in question are running the latest versions of the Blackhole Exploit Kit, a kind of Swiss Army Knife for compromising vulnerable computers. 
Sometimes some good can come from poor computer security.
And someone else that the hackers aren't huge fans of is Gawker journalist Adrian Chen.
A researcher at the University of Oslo in Norway says that page-less phishing and other untraceable attacks may be possible, using a tried and true internet communications standard: the uniform resource identifier, or URI. 
However, he says that sophisticated attackers could also sneak the phished data out using a specially-crafted DNS request that would transfer the sniffed login credentials to the log file of a remote system.
The folks at the Googleplex have released the newest update to the Chrome browser. The new version, 21, fixes three high priority security issues in the popular web browser, Google disclosed on Friday.
In this episode, entitled All about Java, Paul Ducklin and Chester Wisniewski dig into the what, the how, and most importantly the why, of the popular programming language that dominated security headlines in August 2012 for all the wrong reasons.
The browser wars are here - with big players like Google Chrome, Microsoft Internet Explorer and Mozilla Firefox fighting tooth-and-nail for marketshare.
Facebook, blaming a "temporary misconfiguration," accidentally let spear phishers vacuum up users' personal details so they could pose as friends and family and thus make their come-ons convincing, the company told Forbes on Wednesday. 
