Recently in Security Category

...that I got caught in a "spear phishing attack". (A malware attack where they send an email specifically crafted to one or two people.) The email was a receipt from a hotel that I stay at occasionally but it listed the address as being in South Carolina instead of San Francisco. I clicked on the PDF to read it and then realized I was being phished because I haven't been to South Carolina in ages and the invoice mentioned a coworker that I've never traveled with. I started shutting down my computer and made plans to wipe the disks; glad I have good backups but not wanting to go through the pain of being without my laptop until I could do this.

That's when I woke up.

Yes, it was a dream.

I have friend that only click on web links if they are on a ChromeOS machine. The use many machines but if they get a link that is outside their domain they move it to a ChromeOS box to click on it. That's an interesting discipline to develop. I wonder how soon more people will do that.

It used to be there was a small group of people that were extremely paranoid about giving out their social security number or credit card numbers. At the time people called them "paranoid". Now there is this thing called "identify theft" and those people are considered to be "forward thinkers".

I wonder what paranoid behavior today will be normal in the future.

I'll be speaking at LOPSA-New Jersey on Thursday. This will be a repeat of the keynote I did in North Carolina last November. While it says "security" in the title, it will make sense whether you work in security or not. All are invited! (no charge to attend)

Topic: You Suck At Time Management (but it isn't your fault!) Date: Thursday, January 5 2012 Time: 7:00pm (social), 7:30pm (presentation)

Pizza and Soda being brought to you by: INetU Managed Hosting

If you are planing on coming please RSVP so we have a good count for the Pizza.

Location: Lawrence Headquarters Branch of the Mercer County Library
2751 US Highway 1
Lawrenceville, 08648-4132

So much to do! So little time! Security people are pulled in so many directions it is impressive anything gets done at all. The bad news is that if you work in security then good time management is basically impossible. The good news is that it isn't your fault. Tom will explore many of the causes and will offer solutions based from his book, "Time Management for System Administrators" (Now translated into 5 languages.)

OFFICIAL ANNOUNCEMENT HERE

Some people laughed when I tweeted http://goo.gl/3yyKg but now look at this http://goo.gl/XpG03 just 8 days later!

This might be a good time to relink to my post called Yes, malware scanners on your servers too!

I recently posted my "6-point list of security minimums" for the enterprise. That is, 6 things that may have been "would be nice" in the past but are now absolutely required as far as I'm concerned. Most sites do not do all 6, and I think it is time that such sites got with the program 'cause you are making the rest of us look bad.

I got a number of comments asking if I was serious about malware scanners on all computers.... did I really mean servers too?

Yes.

If the machine is a file server then the files being stored should be scanned. It prevents this server from being the unintentional transmitter of infected files. [As a bonus it is an interesting way to detect which users are not protecting themselves. Notice that a large fraction of the infected files are in a certain person's network home directory? Yeah, better check to see if they've disabled their malware detector.]

Web servers, email servers, and "shell servers" all have the same issue. One of my personal servers is a FreeBSD box that I permit friends to have shell accounts. I recently ran a popular commercial virus scanner on all the files. I found 3 files with viruses: One in my home directory (I had done a backup of a laptop to the server ages ago). Two in the home directory of users that were just as shocked as me. Fixing those infected files prevented those users from passing the malware along.

Server performance won't suffer very much. Modern malware scanners are much better behaved. Operating systems have more efficient hooks to let them do their work. Plus, the better vendors are trying to be the lightest burden on system resources. Competition will help that.

I also run a malware scanner on my personal Mac even though Macs are known to not have a lot of virus problems... at this time. Most of the infected files it has detected are Windows virii which wouldn't harm me but this is worth it because it means I haven't propagated the file to my Windows-using friends.

The problem, however, is that in this era of APT it has become very common to find malware written specifically to seek out a particular person or company. The anti-malware vendors are less likely to discover such junk, and if they do there isn't as much financial incentive for them to publish signatures for such things. However, doing this kind of scanning is still important just like people with strong teeth should still brush their teeth. It is good hygiene.

There are still threats from XSS, weak passwords, social engineering and so on and so on. However not doing these 6 basic things is irresponsible bordering on professional negligence.

Someone recently ask me how often an enterprise might expect to be attacked.

Attacks are no longer something that happens now and then, they are constant. An hour without an attack is an hour your network connection was down. This is sometimes known as the "Advanced Persistent Threat". Shortly after APT was declassified someone gave a lecture about it at Usenix LISA. You can watch it here. (Note: I found some of what he revealed to be disturbing).

I think the person meant how often an enterprise might expect a successful attack.

That's an entirely different matter.

Knowing about APT is one thing. What does it mean to you and me? To me it means that the following things are no longer "would be nice" but are required:

1. virus scanners on all machines (even servers)
2. virus scanners must automatically, silently, update. No user confirmation.
3. a way to verify that virus scanners aren't disabled and/or flag any machines that haven't updated in X days.
4. OS patches must be automated and, for critical security fixes, performed without user confirmation. (If you admin Mac OS X, try Munki)
5. email filters (anti-virus, anti-spam) centralized; you can't trust each individual machine to filter on their own. Do it on the server or before it gets to your server.
6. firewalls in front of external servers, not just in front of the enterprise

Lastly, the belief that "I won't be attacked, I don't have anything valuable" has to come to an end (and has been for a while). The fact that you have CPU to exploit or bandwidth to consume is valuable to attackers.

My 6-point list seems long but I bet it isn't long enough. What would you add?

My apologies for flogging my employer's product, but I enough people have asked me "how can I protect my gmail account" that I feel this is worth it.
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=229216897

Google has enabled 2-factor authentication for GMail. I highly recommend you enable this. Attacks on gmail accounts (and all accounts) are increasing in frequency.