Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Educationing Our Communities

Published: 2009-12-19
Last Updated: 2009-12-21 15:04:07 UTC
by Deborah Hale (Version: 1)
4 comment(s)

A few weeks ago it was my pleasure to talk to a group of young people who were participating in a program through Iowa State University School of Engineering.  This program is designed to get children interested in and excited about science, technology and engineering. www.isek.iastate.edu/fll/  The group was preparing for the regional Lego League competition and the project that they chose for the competition was how to safeguard their VIrtual Community.  They asked me questions about what we see happening on the Internet and how it effects them as individuals as well as the businesses that are connected to the Internet.  I explained to them the dangers of illegal download activity, clicking on links in emails, messages and websites, etc.   They asked what could be done to improve the condition of the virtual world.  I told them how we often times joke about creating a "test" and that everyone would have to pass the test and receive a driver's license before they were allowed on the Internet - the World Wide Superhighway.  The group took this to the next level and created a test:

Facts to Know to Keep Your Computer Safe from Viruses

A virus is a computer program that is intended to do harm. A virus can delete information on your computer or use your e-mail to send viruses to other computers.

Malware is a computer program such as a Trojan Horse or a Worm.

A Trojan Horse is when a computer virus pretends to be something that it is not. EX: screen savers or computer games.  If something sound too good to be true, then don’t trust it. 

A Worm is a computer virus that moves through ports and uses the computer network.

A DNS code is an address that changes the number code into words so we can remember them.

A router is a device that ships and delivers information and a router switch is the same thing but it is more efficient.

If you get an unexpected email from somebody you don’t know don’t open it.

If there is an attachment to an email you can open it as long as you have the file checked with Anti-Virus protection software.

There are many ways to be protected from a virus like thru a firewall and anti-virus programs like Norton, and Mac-Updates that are already on a Mac.

Firewalls don’t accept some things because they don’t fit the criteria.

Be careful when going to game sites or other sites that let you download things because you may get a virus.

Remember, nothing is free.  Beware of free stuff, programs, games, etc. that are offered on the Internet.  These usually contain viruses.

Anything that connects to the internet can contact a virus this includes your cell phone and Xbox.

Are you prepared to protect your computer against a virus?  Earn your Internet User’s License

Take this quiz to see if the internet is a safe place for you to be. Get a piece of paper to write your answers down. 

1. What is a virus?

            A. an illness causing you to become sick

            B. An uncommon program that goes into your computer to help

            C. A malicious computer program intended to do harm.

            D. None of the above

2. What is Malware?

            A. A malicious program such as a worm or Trojan horse.

            B. A kind of Anti-virus program.

            C. A new style of clothing that is in fashion.

            D. A newsletter on the internet providing information about viruses

3. What is a DNS (Domain Name Server) code?

            A. It changes numbers into words so we remember them

            B. It is a program protecting your computer.

            C. It turns your name for your computer in to a number address.

            D. None of the above

4. How do you know if you can trust the source of an email, im, etc?

        A. If the source looks somewhat familiar just open it.

        B. The email will check it anyway so you can open it.

        C. If you do not know the source and was not expecting a message do not trust it.

        D. None of the above

5. What is a Trojan horse?

            A. A virus that hides your files

            B. A moving virus infecting many computers

            C. A mystical being  

            D. A virus that pretends to be one thing that it’s not. i.e. screen saver.

6. What is a worm?

            A. Something crawling through soil.

            B. A computer virus moving through ports.

            C. Something that is tracking the computer

            D. None of the above

7. Which of these are not computer protection programs?

        A. Firewall

        B. Norton

        C. Plato

        D. Mac-Updates

8. If you get an unexpected e-mail how should you open the attachments?

            A. Don’t open it all.

            B. Have your antivirus program verify it.

            C. Go ahead and open it

            D. None of the above.

9. Why don’t fire-walls accept some ports?

            A. Because it doesn’t meet it’s criteria

            B. It doesn’t like them.

            C. It is too much work.

            D. None of the above

10. How is a router switch different than a router?

            A. It’s not different at all.

            B. It’s more efficient

            C. It’s less efficient

            D. None of the above

 

I want to say to my young friends...  Good job.  I was selected to be a judge for the Regional competition and was very impressed with not only how this group did, but on how creative and energetic all of the participants were.  My congratulations to all involved for an outstanding program.

And to all of you that are out there working to educate your community I say thanks so much.  It is with all of us working together that we can improve the future of all technology.

Deb Hale Long Lines, LLC

4 comment(s)

Frustrations of ISP Abuse Handling

Published: 2009-12-19
Last Updated: 2009-12-19 16:21:14 UTC
by Deborah Hale (Version: 1)
13 comment(s)

I am the Abuse Coordinator for a small ISP in the Midwest and am very receptive and proactive when dealing with spam originating from our network.  I monitor log reports from servers and firewalls, have subscribed to all of the FBL's that I am aware of, participate in an abuse listserve, review our domain information on MS site, SenderBase and Trusted Source daily, and resolve to eliminate spam from our network as quickly as possible often times before we even receive the first official notification. We have been under a barrage of spam attacks from various ip addresses all over the world just like many others have reported and have felt the pain of email DOS first hand.  We recently implemented a Red Condor filtering system blocking over 24 million spam emails from just one of our domains in the first 3 weeks of December.  We know first hand the damage that can be done by spam.  We strive everyday to work with our customers to reduce the amount of spam coming from their home computers as well as with our business customers to ensure that they secure their mail servers to prevent abuse.  As soon as abuse is discovered it is handled.

So where am I going with this?  I am frustrated with organizations such as Trend Micro, Sorbs, etc that block IP's for NO reason whatsoever.  They simply don't like the "server name" that was chosen or the way the IP is identified in ARIN registration. One example of one of our business mail servers that was blocked because they didn't like the name....  da2.our.domain (real name masked).  They assumed that da2 stood for "dialup access" instead of "direct admin".  There had been absolutely no spam reported from the box but because they THOUGHT it was a dialup computer they blocked the IP.   We recently have been battling blocklists that are preventing email from being delivered simply because our ARIN listing does not indicate that the IP address is static.  Now these are legitimate mail servers on IP addresses that are statically assigned to our customers.  There has been absolutely no spam reports from any of the servers yet they are being blocked from sending legitimate email.  

The companies that are doing this have taken it upon themselves to act as god of the Internet.  They insist that we comply with their demands, in the manner that THEY want it done and because we won't comply they will not allow legitimate emails to be delivered.  One of the servers that they have blocked is a mail server for a small city government, for their police dept, fire dept, and EMS dept.  It was explained to Trend Micro that they were endangering the well being of this small community without justification.  I asked them if they had any examples of spam originating from the IP's and they indicated they had none. They sent an email with what needed to be done to comply with their rules.   They said that we had to comply or they WILL NOT remove the block.  

Some of you are probably thinking - why don't you just do what they want done so that it doesn't happen again?  We have considered that.  However, last week it was SORBS, this week it is Trend Micro, next week someone else, the next week someone else and we will end up spending all of our time trying to comply with every one of these groups that comes along.  We were told by Trend Micro that they want all mail servers to indicate that they are mail servers by using mail. or smtp. for the server names.  We don't control our customers mail servers. We don't tell them what they have to name the server and many times we don't even know that they put up a mail server unless they have problems delivering or receiving mail.  We don't have time to be big brother to our customers.  If the customer violates our AUP, if the customer's IP is reported for spam or copyright infringement it is handled immediately.  Otherwise, it is up to the business themselves and their IT folks what they do with the static IP's that are assigned to them.

Some people complain that the ISP's aren't doing enough to keep the Internet free from spam and malicious activity and you may be right.  It could be because the ISP's are spending all of their free time playing games with the Internet Big Brothers.  I for one am tired of hearing the criticism of ISP's, of the complaining that we aren't doing enough.  I know folks that work for other small ISP's such as ours and I know that they too are doing their best to stay ahead of the game.  I think it is time for all of the "Big Brothers" out there to get a clue, you are doing more damage to the Internet by your lack of responsibility then all of us put together.  Until we all agree to one standard, until the Internet "police" provide all of us with one set of rules that we all have to comply with we will continue to fight the battle of not only spam but also the differing opinions on how these lists should be handled.  

If these companies want to set rules, why not use SPF (Sender Policy Framework) to set these rules.  SPF has been in place for a long time and has been a recommended standard.  We are working towards SPF records for all of our mail servers and hope to have all SPF records completed within the next week.  Will this be enough to satisfy the "big brothers"?  We are also setting up RDNS records for our customers mail servers that we are aware of.  Will this be enough?  I am all for blocking computers, mail servers or home computers that are identified as sending legitimate spam.  If one of our devices is spamming, I block it on our network before it ever gets to yours.

The frustrating thing about all of this is that I know that these companies are making big bucks selling a product to their customers that will break the customers ability to receive email.  Are these companies explaining that to the customers?  Obviously not.  The folks emailing our customers expecting a response from our customers don't have a clue that it is their "filter" that is preventing the delivery of the email.  It is this Handlers opinion that we will all really need to take a step back and learn to work TOGETHER to resolve the spam problem without causing more issues for an already stressed business community.  

 

Deb Hale Long Lines, LLC

Keywords: ISP Abuse
13 comment(s)
Diary Archives