Published: 2010-10-31

Cyber Security Awareness Month - Day 31 - Tying it all together

To the handlers who authored the daily Cyber Security Awareness Month diaries and to the readers who added comments and discussion - THANKS VERY MUCH!  Your collaborative spirit is what makes the SANS Internet Storm Center a true community effort, and a valuable resource to the broad Internet user community.

For this last day of the 2010 awareness month diaries we are providing links to all of the diaries we published this year, plus links to the previous years' summaries.  Please feel free to go back and re-read the diaries and add more comments at the bottom.  Again, this is a community project so the more thinking we get from everybody the stronger we are as a team.

In 2007 we covered a large range of subjects based on what our readers submitted as ideas.  In 2008 we took a closer look at the six steps of incident handling.  In 2009 we examined 31 different ports/services/protocols/applications and discussed some of the major security issues.  This year we "borrowed" an idea from Lance Spitzner and focused on ways to Secure the Human.  In other words, we discussed Layer 8, the carbon layer. 

If you have additional comments on any of these diaries feel free to add them directly to the bottom of the diary (you have to log in first) or if you want to remain anonymous you can send them to us via our contact form.

Week One (Oct 1-9) Parents and extended family
1 - Securing the family PC
2 - Securing the family network
3 - Recognizing phishing and online scams
4 - Managing email
5 - Sites you should stay away from
6 - Computer monitoring tools
7 - Remote access and monitoring tools
8 - Patch management and system updates
9 - Disposal of an old computer

Week Two (Oct 10-16) Children, schools, and young friends
10 - Safe browsing for pre-teens
11 - Safe browsing for teens
12 - Protecting and managing your digital identity on social media sites
13 - Online bullying
14 - Securing a public computer
15 - What teachers need to know about their students
16 - Securing a donated computer

Week Three (Oct 17-23) Bosses
17 - What a boss should and should not have access to
18 - What you should tell your boss when there's a crisis
19 - Remote access tools
       Remote user VPN tunnels - to split or not to split?
       VPN architectures – SSL or IPSec?
       Remote user VPN access – are things getting too easy, or too hard?
       VPN and remote access tools
20 - Securing mobile devices
21 - Impossible requests from the boss
22 - Security of removable media
23 - The importance of compliance

Week Four (Oct 24-31) Co-workers
24 - Using work computers at home
25 - Using home computers for work
26 - Sharing office files
27 - Social media use in the office
28 - Role of the employee
29 - Role of the office geek
30 - Role of the network team

31 - Tying it all together


Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2010-10-30

Cyber Security Awareness Month - Day 30 - Role of the network team

Day 30 ends week four of the Cyber Security Awareness Month. First, a network team needs a a leader to who will serve as a point of contact and in most cases a Subject Matter Expert in networking and a project manager.

The Network Team is usually responsible for the network infrastructure and may need to evaluate, recommend, maintain and deploy security products on the perimeter and corporate network.

Some of the requirements might include:

  • Implementing, supporting and maintaining security and network infrastructure
  • Solid understanding of enterprise architecture
  • Have a broad knowledge of networking technologies and a sound understanding of TCP/IP
  • Ensure a reliable service for all corporate users
  • Identify and develop scalable network designs, solutions and policy recommendations

If you are part of a network team and would like to share some of your other roles, you can share them via our contact form.


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

FOR 558: Network Forensics coming to Toronto, ON in Nov 2010


Published: 2010-10-30

Security Update for Shockwave Player

Adobe released a critical security update for Shockwave player and earlier (Windows and Macintosh). "This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3653)." Adobe recommend to update to the newest version. The bulletin is available here.


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

FOR 558: Network Forensics coming to Toronto, ON in Nov 2010


Published: 2010-10-29

Cyber Security Awareness Month - Day 29- Role of the office geek

The topic of today for the role of the office geek. For those who are responsible for the information security in the company, we find people who are continually trying to commit fraud within the organization. Although in such cases many organizations have already established an incident response process and the corresponding regulations to sanction these types of behaviors, we find another type of user who does not seek to commit illegal actions and although he does not have a comprehensive conception of information security, has an above-average skills, loves technology, study on their own and because of his actions he can cause us some problems in our daily operation.

I can name an example that occurred in my company: a economist leading the process of imports of goods and services was sent to a Microsoft Office course. As this employee loves technology, decided to study a little bit more and decided to use Microsoft Access to carry in a database all the information needed to handle the import procedures. In a very short time became the main database for the management of imports from the company, and any content on a computer with 1 GB of RAM with Windows XP and 80 GB disk.

When we realized the existence of this database? When we perform a penetration testing on the workstation infrastructure, as you might imagine because the database did not have the necessary security settings and apart from that had some vulnerabilities due to lack of patches.

What to do with these people? They are a double-edged sword and although they can provide ideas and feedback to the process of IT, it is necessary to channel and enforce at all times the guidelines established in the security policy information. 

As always, your comments are welcome. Please remember our contact form.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org


Published: 2010-10-29

SQL Slammer Clean-up: Contacting CERTs

As you go through the process of individually-contacting abuse-contacts (http://isc.sans.edu/diary.html?storyid=9664) and work your way up the stream (http://isc.sans.edu/diary.html?storyid=9712) you may eventually end up the state/nation-level. This should only occur in cases where the ISP is unresponsive, or actually complicit in behavior. For something like slammer this shouldn't be the case, but for completeness I'd like to cover how to engage CERTs.

Each CERT is unique. They have varying levels of funding and organization, their missions are not consistent from one country to another, but they do have a couple of things in common. Most are clearing-houses for abuse-reporting. If your research into the owner and up-stream provider of an infected IP address isn't turning up working contacts, they can usually help identify the correct contacts and forward the report on for you. Also, they are each responsible to a specific constituency.

Before contacting a CERT it's important to study their mission and their constituency. You will not get good results if you report an IP address or an organization that is outside of their scope. Some CERTs do not actually accept abuse reports from individuals or organizations and only service other CERTs (e.g. Asia Pacific Computer Emergency Response Team-- apcert.org)

As an individual or organization directly reporting an incident to a CERT it's best to use their online reporting form. This assures that your report enters their work-flow and contains the information that they require. Sending an email in your own format runs the risk that it may be ignored. If you shotgun your report as an email to multiple organizations and CERTs it's almost guaranteed to be ignored by most or all of the recipients on your list. However, if what you have to report doesn't fit with their reporting-form and you think an email is necessary, they are quite fond of digital signatures.

Let's look at a couple of examples. For reporting slammer, your two most common countries are China and the United States. CNCERT has an easy web-form to report infections: http://www.cert.org.cn/english_web/ir.htm. There's a little captcha to prove that you're a human, you fill out a few fields, select "Virus, worm or trojan infection" from the incident type, paste your logs/packet dump in the description field, and ask that they system be taken off-line or cleaned. Be sure to record when you sent the report in your tracking spread-sheet and what kind of response you get.

US-CERT (http://www.us-cert.gov) has their own reporting forms, they break them down into: incident, phishing, and vulnerability. For something like slammer, you'd use the "Report an Incident" link: https://forms.us-cert.gov/report/ They collect some contact information, as well as more details about how the incident is impacting you (none to minimal in the case of slammer attacks,) what type of followup you require (none, contact or forward-- probably forward in this case.) They ask for the current status of the incident, since the slammer infection is still ongoing, you could use the "Occurring" status. They have a couple of fields to use to describe the incident, one of them is specifically for pasting logs-- use that.

Reporting to an organization such as a CERT is often an act of faith. You're not likely to get a quick, human response (not like when you submit something to us: http://isc.sans.edu/contact.html) but your efforts do have an impact. The attention that an IP address gets grows more and more reports come in from multiple organizations. This is why I've been soliciting you to make your own reports individually as opposed to a request of "send me all of your known SQL slammer infections."

we're quickly approaching the end of this exercise, so next week I'll post the results and go into more of the background of why I chose Slammer and how I organized the drill.


Published: 2010-10-28

CVE-2010-3654 - New dangerous 0-day authplay library adobe products vulnerability

Adobe released today APSA10-05 advisory, which shows a 0-day vulnerability that can be exploited remotely for Adobe Flash Player, Adobe Reader and Acrobat. Adobe says the update will exist hopefully by the Nov 15 week.

The following are the mitigation measures recommended by adobe:

Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0."

More information at http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org


Published: 2010-10-28

Cyber Security Awareness Month - Day 28 - Role of the employee

Today’s topic for the CyberSecurity Awareness Month is the Role of the Employee.  Almost everyone reading this today will create some form of stored data which is significant to them.  Thus is the role of the user.  And, basically, every employee with an IT system is a user of some form or other.  Recently I had the opportunity to discuss a very similar topic with some friends at www.eitc.edu  .  The discussion centered on personal responsibility in regards to security.  This was a very productive discussion that yielded many of the same questions and conclusions I will discuss today.  The role of the employee is essentially the role of the user which always led to 3 questions:

“What data have I produced?”

“How do I get this data back, so I may continue, when all else fails?”

Once you have addressed these questions to the data you have created, whether 2 presentations or 200 emails, you will find the long road ahead much easier.   The third question is a bit more difficult, and is topic for another day….

“What data, other than my own, am I ultimately responsible for today??”

I would like to talk about the first 2 here a bit more.  Of course discussions or comments are always welcome and encouraged. “What data have I produced today?”  This question hopefully leads everyone to ask a number of questions about backup, restoration, and possibly even continuity of operations in regards to their jobs and data.  One common question is “how do I keep going after a (insert disaster here i.e… fire, flood, etc)?  If you are reading this then most likely we, in both our professional and personal lives, create some form of data each day.  In the workplace this may be several proposals or presentations.  In the home, it may have been a weekend of pictures downloaded to the home computer.  So what happens when the workplace is flooded?  God forbid a fire to the home?  Is the data created on a computer any less priceless than the letters from 2 years ago?  No. You would hopefully plan and protect these electronic artifacts the same as you would the physical artifacts.
“How do I get this data back, so I may continue, when all else fails?”  To completely answer this question the answers to question number 1 have to be answered.  Essentially once you have identified who is responsible for the backup and restoration, then ask the question “where is my data so I can get it back when everything else fails?”  Sometimes this is a question we have to ask of ourselves about personal data we’ve created, in the form of contact lists, email archives, and personal data.  In the data realm we are producers, provisions, consumers, and sometimes all three.  Anyone in the role of the first two needs to understand completely the role they play in today’s CyberSecurity world.

tony d0t carothers at isc d0t sans d0t org


Published: 2010-10-28

Firefox 3.6.12 available - http://www.mozilla.com/en-US/firefox/personal.html

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2010-10-28

Cyber Security Awareness Month - Day 27 - Social Media use in the office

On Day 27 of the 2010 version of Cyber Security Awareness Month we want your view on the use of social media in the office.

Unless you are in one of those few industries or parts of government or military where the control of data is so strict that you can forbid Internet use then it is very likely that your company has had to deal with the conundrum of whether or not to allow access to social media sites.  There is no doubt that from your corporate point of view that there may be huge benefits, not the least of which is low cost access to your customer base, both for customer feedback and for targeted advertising, but there are huge risks, some of which are increased exposure to malware, intellectual property and confidential information leakage, productivity issues, and exposure to objectionable content.

 I am not going to get into the discussion of whether companies should or shouldn't allow access to social media.  That should be an individual company risk versus reward decision.  But if you do decide to go ahead, here is my list of the minimum you should have in place.

  • Internet Acceptable Use Policy - hopefully your company already has one.  An Internet AUP defines the parameters of acceptable use for your company's Internet resources.  Most companies have come down on the side of limiting work-based Internet use to usage directly related to job responsibilities with limited personal use being acceptable.  The two big things are that if your jurisdiction permits it you should indicate that the network can be monitored and that all data stored on company resources belongs to the company.  A good sample Internet AUP is available at the SANS Internet Security Policy Templates page.
  • Social Networking Policy - more and more companies are publishing a social networking policy.  In a nutshell it defines what people can and can't say online.  This policy should indicate that employees can only speak on behalf of the company within their area of responsibility and that they must clearly identify who they are.  It also should define what they can and can't talk about.  Obviously intellectual property, trade secrets, sensitive corporate information, and customer and partner information should be off the table. Most importantly the policy should provide a reporting mechanism to be utilized if employees trip over inappropriate information about your company. Here is a good sample social media policy to help you get started.
  • Management training - no policy should be published without adequate training.  In this case managers must be made aware of the policy and what is an isn't appropriate for their employees to be doing.  What is the difference between limited personal use and abuse?  Where do I report a potential problem?
  • Employee training - employees must also be trained on the social media policy.  They need to know under what conditions they can speak on behalf of the company, and where the line is between limited personal use and abuse. Employees will also be your best source of reporting of inappropriate information being posted, so be sure to let them know how to report issues.
  • Apply Operations Security (OpSec) - OpSec is a military term which describes a process to determine if information which can be obtained by adversaries could be useful to them and minimizing the impact of that information.  Applying this concept to InfoSec, I am referring to a process of monitoring the Internet with the goal of identifying corporate information which could be useful for competitive intelligence, or which could  present your company in a negative light, and have it removed when possible.  Google alerts are a good place to start in this area.

I've gone on long enough.  It is your turn to provide us with guidance.  What techniques have you employed to limit the impact of work-based social media on your company?

As usual your ideas and feedback are encouraged via the comment mechanism below.

Other Resources:

Another good resource when creating your Social Media policy is  "Ten things you should cover in your social networking policy"

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2010-10-26

Cyber Security Awareness Month - Day 26 - Sharing Office Files

Cyber Security Awareness Month - Day 26 - Sharing Office Files

Today's CSAM topic is Sharing Office Files.

There are some good points of attention when doing this.

1) Sharing inside the company.

Most companies have shared drives where people use to store documents that can be accessed by
one or several groups.

It is very important that you know who is on the list of Trusted people that can access those documents.

It is also necessary that the shares are included on the Anti-Virus scan and Backup process.

If you are not using a shared drive, but a web-based internal service like MS Sharepoint, the same check
should be done regarding the access control.

Sharing internal documents using external providers such as Google Docs, or Online Fileservers may be a
risk and very likely an internal policy violation even if they provide some level of authentication, so those should
be avoided at any cost.

2) Sharing Outside the company

Sometimes we need to share documents with third party and this can be a difficult task when it comes to security.

When not being able to use some kind of public/private key encryption method between the email exchange,
what I recommend is to use a common key and compact the file with a strong crypto algorithm such as AES.

Most compressors, like WinZip, WinRAR and 7-ZIP offer this option, so in this way you can ensure that even if the
email or file goes to the wrong hands, they may not be able to open the document.

3) Sharing inside the company with removable drives

Sometimes we need to share a document inside the company via removable drives.

At this point you can't really trust what it inside the thumb drive besides the document you need, and today it is very
common to find malware inside them, that will execute via Windows Autorun feature.

If your IT policy allows, you should really disable it this feature.

One thing that I usually do is to check them on my Linux box, and remove autorun.inf file from it before insert on my
Windows box.

4) Receiving Office Documents from outside the company

When receiving documents from outside the company, those will mostly be PDF or MS Office (.DOC, .XLS, .PPT).

Sometimes they may be legit documents, sometimes they may be part of a target attack :) .

There are a couple of ways to check those files. Our fellow handler Lenny Zeltser put together a very nice Cheat Sheet,
called...Analyzing Malicious Documents Cheat Sheet :) You can find the PDF here ( Don't worry, it is not malicious ) :)

It contains several tools that you can use to help the identification of malicious documents when you don't want
to send them to external websites such as VirusTotal or Wepawet due some possible confidentiality issues.
As a last resource, create a VM image with Office and open the documents there :)

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure


Published: 2010-10-26

Firefox news

So, this is not a marketing or just news about Firefox. :)
The reason for this post is that Firefox is the subject of two quite interesting security related news.

Starting on the first one.
There is a 0day vulnerability for Firefox, including the latest version. This vulnerability is already being exploited, so beware...

The good thing is that Mozilla is quite fast on those and already confirmed the issue and is working to get it fixed.

The second one is related to an Firefox extension released yesterday. It is called Firesheep.

In summary, it is an addon that will make it really easy to basically anyone hack accounts by sniffing traffic on public hotspots, such as airports, coffee shops,etc...
Hacking accounts by sniffing traffic on unsecured wifi networks is not really difficult, but until now, you would need some additional steps to accomplish it, but with Firesheep it is all there for you...really recommend a check on it.

PCWorld has a good write up on it.

Thanks for the readers that pointed that out.


Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure


Published: 2010-10-25

SQL Slammer Clean-up: Switching Viewpoints

As you've been going through this exercise (http://isc.sans.edu/diary.html?storyid=9664, http://isc.sans.edu/diary.html?storyid=9712, http://isc.sans.edu/diary.html?storyid=9778) you have certainly run into the issue of bad WHOIS contact information, and have likely had bad/no response from the abuse contacts. Hasn't that been frustrating?

Today we put the shoe on the other foot, and take steps to make sure that others don't suffer from our own WHOIS records and abuse-handling processes.

Look up your own net-block(s). Do you have an abuse contact defined? Are the email addresses AND the phone numbers appropriate? If someone sends an email to your abuse address will it be read by a human? If someone calls the phone number will they be able to reach a security/computer person?

Are you RFC 2142 (http://www.ietf.org/rfc/rfc2142.txt) compliant? Most aren't fully compliant (for example I don't think we use noc@the-day.job.)

I just did a quick audit myself. Though mergers and acquisition we have a hand-full of net-blocks. They all don't point to the same domains, but they all have abuse contact records and the owner block is correct. We also route all abuse@* to the same work-flow. So, I would consider that a pass. On the other hand, the phone numbers all reach the main switchboard. Getting routed to the right security contact was challenging, so I would recommend that we update that number.


Published: 2010-10-25

Cyber Security Awareness Month - Day 25 - Using Home Computers for Work

Today's CSAM topic is Using Home Computers for Work.  I will share with you a simple practice I've been using for quite some time that provides me a couple key protections from myself while keeping me and my employer safe from mingling home equipment with the corporate equipment.

It is common for many people to have company issued laptops, so the mileage may vary on my suggestion.  However, for those who do not use an issued laptop to access the company network and are left to using home equipment to accomplish work for your employer I highly suggest using a some sort of virutal machine software and utilize all access to the corporate network through the inside of that machine.   
My home setup for connecting to work consists of our family computer, an iMac (behind a firewall of course) with a VMWare Fusion machine consisting of a basic XP installation that has been fully patched, updated Anti-Virus and any basic software required for connectivity to the company resources. I.e. VPN software, SSH Clients, etc...  Once this VM has been setup, I save a snapshot of it.  When Patch Tuesday rolls by, I update everything and take another snapshot. Most anti-virus can be configured to update when it boots up, and at a minimum I update the image monthly, but sometimes more if I am ambitious.  When I need to use the home computer to connect to work, I fire up my VM and utilize the VM environment for all connectivity to work.  When I have completed my session for work, I power down the VM and rollback to my most recent snapshot.  This practice insures that my computer will not propogate any malware or viruses that my family or I happen to carelessly add to the home computer.  It keeps my risks low and my productivity higher because I always have a fresh installation.
I am not a lawyer nor play one on the Internet, but it could also be argued that since a concerted effort is maintained to keep work and home activities separate while using the same the hardware, all legal privacy issues could be bound to only the VM files and not my entire computer. Again, consult your lawyer before believing this to be true.
I've only touched upon some of the connectivity risks associated with using home computers for work.  There are many more things to consider.  So please, share with us what you do to reduce or minimize any risks associated with using home computers for work.
Kevin Shortt
ISC Handler on Duty


Published: 2010-10-24

Cyber Security Awarenes Month - Day 24 - Using work computers at home

The 4th week of the awareness promotion month start with a topic close to every employee's personal experience: "Using work computers at home".

To best situate this, one needs to be able to take the viewpoint of the different stakeholders and walk through them in order to get a good balance between it all.

The overruling bodies

Local laws, habits, employment legislation, tax regulations etc. have an impact on what the parties can and cannot do. E.g. where I live work computers are often given as part of the payment of the employee and the employee is to a (very small) extend taxed on it as a benefit. Similarly the applicable rules might well limit the amount of monitoring and other intrusions on the privacy of the users. And It'll be much harder to argue in favor of extensive monitoring when the machine is (also) used at home and not just at work.

Bottom line is simple for the security professional: expect every jurisdiction you operate in to be (slightly) different in rules and regulations; seek advice from the local legal and HR teams before setting troublesome policies that will violate some of these.

The user

The user of a work computer at home should really try to see the machine as property of the company (s)he works for. Sticking to the letter and/or spirit of the rules set forth is a start. But many security professional get gray hair -or just tear it out- from users doing -or request permission to do things they really should not be contemplating. So how do you know if your bright idea is one that will create a faceslap if found out at the security dept. ?

Summarize your plan before you ask or do -generalizing it a little bit- back to yourself, and add after it "and I work for a _______"


You'd be interested to surf to a website containing NSFW images. Before you do, you ask yourself:
"I'd like to surf to p*rn using my work computer, and I work for a wall street bank"

If it doesn't sound like a great idea: time to urgently reconsider.

Most places will introduce some measures like Anti-virus software, limited user accounts, or even very strict security that will allow little to nothing to be done with the machine. These are in most cases put in place to prevent the machine (and it's precious data) to become infected with malware, or be taken over by the bad guys. Do not work around or find a way to sidestep these measures: they are there "for your own good", really!

Do expect some things to not work all that simple. E.g. adding printers on a windows system is a tricky business that requires rights beyond what a user at the office needs (where printer drivers are managed by the IT dept.). Expecting it to work "just" like on a machine you administer yourself like your family computer is only going to leave you frustrated in many cases.

Know that "mobility" is what you're doing when you use a work machine outside of the physical and logical confines of work. And most models those companies that create the software like the operating system make are not all that compatible with mobility. This results in a lower level of protection while the machine is at home than when it is at the office in many if not all cases. To mitigate this a user can make sure to have some essential security measures on home networks/routers/WiFi networks, but it also requires more care of the user.

The boss

Your employees might be the best asset you have, they might be lazy or even sneaky. But in the end you trust them or you'd' not have them at all. So your part of the deal is to make sure the users that are allowed to take machines home and use them there are given some guidance. It's also your task to make sure it's balanced between the needs of the organization to have it protected, to allow the employees to do some of their stuff as well as stay within the limits set by rules and regulations you have to comply with.

The bottom line is double:

  • Set forth rules -yes: policies and procedures-  to give the guidance
  • Give the good example by complying to the rules yourself.

Expect your security and IT department to need some changes and extra work to support the mobility you're demanding of them. The old measures they have in place often will not suffice as mobility needs and expectations increase.


 Work computers used by employees at home can be seen as

  • a benefit for the employee: it can indeed be a cost saver for the employee not to have to buy a family computer. But that also means the employee is likely to want to install that toddler's game on the business machine (imagine the sticky food covered fingers all over that keyboard and screen ...

    Moreover a computer's total cost for a business is significantly higher than a machine bought for home use. Hardware that's not changing every week with the whim of fashion is more expensive in itself; Software licenses for businesses are more expensive than for student and home users; and business machines need to be managed by supporting staff. To make it worse: the more freedom the user gets, the more they damage the software on the machine and the more work the support staff has to keep it all together.
  • a benefit for the company: the employee works longer for the business by being able to work at home.
  • something IT support and security staff alike want to avoid as much as possible as it gives them more work and doesn't fit in their model of the world. Not only are they not ready to accept a world were mobility isn't embraced yet, but the models and tools they need to use make it impossible for them to fully embrace it.
  • a status symbol
  • ...

Try to see both sides of the story and not just advantages either. Laptops are among the most fragile devices in the company (expected lifetime of just 2 years) and need loads of TLC in order to function properly.

The administrator/security team

Remember mobility will not go away. Maybe your industry has some strict requirements but even then mobility will only increase. Worst of it all your perimeter heavy security model isn't very compatible with mobility.

Find a good balance between:

  • The more you restrict your users, the more rebellious their nature will be.
  • The more rights your users have the more they can do wrong

Make sure the balance is approved by all stakeholders.

Users come and go, you will need to inform them of the rules and goals of those rules in a a short awareness session/introduction every so often. You can't expect the new colleague who just started today to already know and have read all policies on their own.

Make sure to work with HR, the powers that be, legal, ... to get to know the stakes in every jurisdiction you operate in.

Staff members that are allowed to work from home are a special case in some operations as their computer hardly ever is at the office and still needs proper support from a distance. Make sure you're equipped with the needed tools and have a proper solution for securing their home networks. This isn't a laptop that's playing the latest disney movie in the back of the car, it's a work machine used to do work, accessing corporate data and having access rights into the company in most cases.


What's allowed will be different for every organization. It's not even going to be static over time. Work computers that go home with employees are of course an added risk, but there are benefits too. Keep it balanced!

Also stakeholders often have different viewpoints on the global problem, try to place yourself in the other stakeholder's shoes and come to a balanced agreement.

Swa Frantzen -- Section 66


Published: 2010-10-23

Cyber Security Awareness Month - Day 23 - The Importance of compliance

"We need to comply with …….." is a phrase that will send quivers of fear, loathing, despair, or joy through many a security person's body. Fear, because you have been through it before and know what is around the corner. Despair and loathing, because you are told to to the basic minimum to comply rather than doing it properly. Joy, because at long last you get some budget and possibly some new toys to play with. Regardless of which feeling the phrase evokes in you, the ultimate truth is, the organisation will have to comply and you are likely going to be involved with it.  Rather than resist it, work with it and make whatever you have to comply with work for the organisation.

Other than relevant laws and regulations there are quite a number of things you could possibly have to comply with SOX, NIST, ISM, ISO 27001, SABSA, ISM3, Cobit, ITIL, PCI-DSS, and more. Some of these are mandated by external parties and you will have to comply, for some the organisation may have made a decision to comply to address issues, become more competitive or any number of reasons. Quite a few organisations will have to comply with a number of these and at first glance they may not play nicely together. 

So why is compliance important?

One of the things I’ve learned over the years are two information security basics. “Nothing changes” and “Everything changes”. A bit contradictory I agree, but let me explain. We all know that Information Security is one of the more dynamic fields in IT. Attacks are constantly changing and often require different defenses. New technology means we have to change the way in which we secure things. So everything changes, quite often and quite rapidly. On the other hand, nothing changes. When you step back from the nuts and bolts we have the same challenges we’ve had for years and years. We have to protect our boundaries, we have deal with malware, we have to set policies, we have to educate users, we have to identify risks and deal with those.  No matter how the attacks change, no matter what technology is introduced those basic functions still need to be done. That is where compliance can help you out.  Compliance can help change a security group from a bunch of people fighting fires to a group of people that has the right equipment and can stomp on a fire when it first ignites, or even better, can prevent it from taking hold in the first place. 

What can compliance do for you:

  • Ensure processes are documented
  • Provide information to those that need it, when they need it
  • Provide guidance to resolve issues
  • Ensure basic security processes are done regularly and consistently. e.g. user review, risk assessments, projects, etc. 
  • Provide metrics that demonstrate things are secure
  • Help the organisation reduce costs e.g. reduce merchant fees. streamline processes,
  • Stop you having to solve the same issue over and over again
  • Improve Security's profile in the organisation

The one thing compliance can’t do for you is make you secure. You can be fully compliant with a number of standards, but still be insecure. The main reason for this is because there are quite a number of organisations that only comply because they have to. Two weeks or maybe even a month before the compliance audit there is a huge effort to make sure everything, that is likely to be audited, is compliant with the standard. Sometimes the effort is whilst the audit is happening. I’ve had a few in the last year where a document miraculously appeared with a creation date of 2 hours after the document was requested. To me that is the wrong approach and you are reducing something that can be worthwhile to a painful, wasteful effort. Likely more expensive as well.

When you comply with a standard and it is done well, the processes should be smooth, fit with current practices and not adversely impact other activities that need to take place. Yes there will be some impact on the running of the team or organisation, but the impact can be managed. If you find that a process is not working for you, change it. There is likely a better/easier way to do it and most standards allow you to do this. PCI-DSS for example is very prescriptive.  There are certain things that you must do, no argument, but the standard doesn’t tell you how you must do it (you just have to convince the auditor that what you are doing is acceptable).

The next time you hear the phrase “We need to comply with .....”, treat it with joy. You have the opportunity to sort out some processes that may not have been working very well. You may get new kit to play with. If you tackle it well security will have an increased profile in the organisation (a good one for a change). 

When you are asked to do the minimum to comply, point out that doing it properly has benefits for the organisation. Better documentation, better processes and because you are doing it right better security.

Mark H


Published: 2010-10-22

Intypedia project

The Criptored guys are building a new project called intypedia to provide on-line free training in several topics of information security. There will be videos both in spanish and english. In the first stage will contain introductory content and upcoming ones will be targeted to people from all knowledge levels.

Upcoming lessons are:

  • History of Cryptography and its Early Stages in Europe
  • Secret-Key Cryptography
  • Public-Key Cryptography
  • Network and Internet Security

If you are new to security, it's a good place to start. More information at http://www.criptored.upm.es/intypedia/index.php?lang=en

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org


Published: 2010-10-22

Cyber Security Awareness Month - Day 22 - Security of removable media

Removable media are nothing new. Computer storage started with removable media, those of us old enough likely have fond memories of cassette tapes and floppy disks. What changed, primarily, is the ubiquity of such media and the stunning capacity of memory sticks, USB drives, iGadgets, etc.

In addition to a lot of Good Things, removable media come with two prominent risks:

(1) Given that such media is used as a carrier of data between computers, it is also a good carrier of communicable diseases, aka computer viruses.

(2) The small form factor of such media makes it very easy to misplace or lose the device, and all the data on it

Both problems can be stopped of course by banning the use of removable media completely.  Some firms and organizations are trying this, but since computers come with built-in ports of all sorts and DVD writers and Bluetooth and and, it is very hard and costly to get this "right".  Also, it usually doesn't stop staff from exchanging data, they'll just find some other way, like uploading it to a file exchange site.  Thus, while a complete ban of a certain technology is often the first reaction of Security in a corporate setting, it hardly ever works in the long run.

If we assume that the USB ports are accessible and usable, here's three things you can do reduce the virus risk:

(a) Disable AutoRun
AutoRun is one of the dumbest inventions ever. Attaching a device or inserting a DVD should *never* lead to direct execution of a program without explicit user action. Viruses propagating via removable media became almost completely extinct when the "boot floppy" vanished, but came back in force once Microsoft put AutoRun into XP. Thankfully, it can be completely turned off, and should be. http://support.microsoft.com/kb/967715 shows how.

(b) Enable Anti-Virus
For anti virus, auto-run is desired. It makes good sense to have antivirus do a quick and automatic scan of any newly attached or inserted removable media, as soon as the file system is mounted. Especially in a corporate setting, you might want to know if one of your staff brings in a keylogger on  a memory stick, even when the malicious file is not actually started.

(c) Write Protect
If you are in a support or techie role that requires you to attach your memory stick to many different PCs, for example to run diagnostic programs or software updates, do everyone a favor and invest in a memory stick that can be write protected. A stick that has no internal memory and only acts as an SD card reader, for example, can do the job, and also others USB media that come with a write protect switch. This keeps the USB memory clean even when attached to an infected PC.


To address the problem of data loss, encryption is the only viable answer. Free software like TrueCrypt (truecrypt.org) comes with cross-platform support, is reasonable easy to use, and provides good protection if used with a decent password. In a corporate setting, chances are you already have a way to encrypt files or folders. Using one of these programs, make sure you gather the data to be copied in a folder that is *not* on the stick, encrypt it there, and only then copy the encrypted archive over to the USB media. Otherwise, you create temporary files that can be retrieved by a skilled attacker. In case the stick gets lost, the separate copy on the source system also gives you a perfect inventory of what was actually lost, which can be invaluable.

If you have additional tips on how to safely use removable media, let us know (http://isc.sans.edu/contact.html) or use the comment form below.


Published: 2010-10-21

Cyber Security Awareness Month - Day 21 - Impossible Requests from the Boss

When I saw the topic I was given for this month, I immediately burst out laughing as I have (while never violating an NDA) shared more than a few horror stories, complaints and tales of woe (from the perspective of both employee, and boss) with my fellow Handlers.  In retrospect, some were not as bad as they seemed at the time, and some are far worse.  In the end, as someone who has held positions from helpdesk to CISO of a global company I have a broad range of experiences to draw from in giving you my opinions on how to handle those impossible requests.

A few caveats before we begin:

This information is more suited for being used to deal with North American Style managers.  Business culture in other areas is often different and these opinions may not be appropriate for those environments.

Please understand that I speak in generalizations as there are far too many variables to be specific.

This information is not meant to be used for legal or ethical issues.  These are separate topics that have their own set of rules to follow.

We've all had a boss who makes impossible requests or demands.

When we get together either in the same physical room or virtually, through email, IM, chat rooms or the like, we trade war stories that, much like the fish who got away, seem to grow bigger every time the tale is told.

We pride ourselves on creative ways that we fulfilled or skirted the request, and at least once have imagined ourselves as the person who printed a day's worth of firewall logs on bright orange paper and dumped 600 pages on the boss' desk in response to a request for what we do all day.

When all is said and done, at the end of the day, the reality of the situation is still there and the impossible request still exists.

My personal belief is that impossible requests are often a sign of a manager who needs help with their management or technical skills.  Especially in areas such as ours where promotion through technical excellence is common, people promoted into management often don't have the tools needed to make sure they, and their staff are not put into an impossible situation. This is not their fault.  Similarly people who are trained in the art of management may not fully understand the technical aspect of the request and why it is, to you, impossible.  Again, this is not their fault.

For the most part, it's not about you. Don't make the mistake of taking it personally and thinking your boss has it in for you or is trying to make you quit.  if  If a manager is intentionally making your life miserable you'll know it because truly impossible requests will only be part of the problem.

When you receive that impossible request, finding the reason for the request will prepare you for appropriate action.  But you don't always have the time or the ability to gather this information and often need to react in a very short time period if not immediately.

What do you do?

The first thing is to make sure the request really is impossible.  Many times even a brief examination of the task shows it's not.  Take some time to cool down if you had an immediate negative emotional response.

After some analysis you will be in one of three different positions.

The task still seems impossible.

It's too close to tell.

It maybe possible after all.

Communication with your boss is crucial at this point and how you say what you need to say has more influence on the eventual outcome than you may know. Don't respond immediately with an email or by phone if at all possible.  While either may be more comfortable, you really want face-to-face communication.

Regardless of the outcome of your analysis, ask your boss (face to face) for a meeting and discuss the request.  Hopefully you know your boss well enough to know how to talk to him or her.

If you don't or you don't know what I'm talking about, Google 'personality types communication' and look at articles on identifying and communicating with the four basic personality types.  If you can't find anything, feel free to contact me off-line and I'll point you to some specific resources.

During the meeting, be calm.  Speaking loudly in a rushed manner with excited or worse yet, angry tones will do little more than raise your blood pressure and your manager's and may in fact make the situation worse.  Finishing his or her sentences is also a bad idea.

Give your manager time to talk and wait a moment to compose your response.  This is not the place for ready, fire, aim.

It has been said that you can say just about anything you want as long as you say it with a smile.  Smile.

Now that you're in the meeting, you are calm and otherwise prepared, if the task is possible have a rough plan prepared outlining the solution.  Problem solved, end of issue and you may even score some points if this isn't your typical behavior.

If the task still seems impossible you have two options.

One option is to tell to your boss straight out why the request can't be fulfilled.  In my experience it is a rare manager that will listen to the blunt truth with little to no sugar-coating.  Why?  I'm not sure exactly because this is what I ask of my staff.  Give me the facts as they exist.  If you do receive an impossible request from a manager who wants the blunt truth, chances are the manager isn't very technical or may be technical but not particularly knowledgeable in your field.  A calm discussion of the facts and providing a workable solution is usually enough to dispel whatever misunderstandings or misconceptions the manager had when making the impossible request, providing he or she has control of it.

If you don't have a manager that responds well to this direct communication style then make sure to use positive wording.  For example, "I would certainly be able to do this if I had ..."  Just make sure what you're asking for is reasonable and will allow you to get the job done.  If you come back later saying you need more of whatever you had better have a very good explanation as to why.

Speaking so directly to this sort of manager is a bad idea.  You are often seen as being confrontational or worse yet, you are seen as challenging your boss' authority.  Even if you win, you've lost.  While you may have shown off your leet technical skills and immense knowledge you made the relationship between you and your boss worse.

Asking for help understanding the bigger picture during this meeting is always a good idea as it may give you additional information.  Hopefully your manager will see your point and give you the resources needed.

Why do we get these requests?

It could be that the action was dictated by the business or it could be a "request" from your manager's boss.  Most likely his hands are tied, and so are yours.

Maybe your manager is trying to make him- or herself look good for any one of a number of reasons.  Help him or her.  Explain the issue and a realistic solution.  Your boss won't look good if the task truly can't be done, and they know it.  Some people go so far as to imagine that another entry in their job description is "Make my boss look good"

Another possibility is that your boss is new to management and hasn't learned about mutiny.  Explain (gently) to your boss that you want to get the job done but there are certain obstacles that are out of your control.  Ask him or her to help you clear those obstacles.  While stroking a manager's ego may seem unpalatable, sometimes it's the only way.

It may be that your manager is trying to show you (or someone else) that they are in control.  This is a big problem.  The chances of this boss acting on your concerns after a reasonable discussion are whatever comes just after zero. Document the request and your meeting and file it away somewhere safe so when you are called out for failing to complete the task you at least have a record showing that you knew the task would fail and communicated that to your boss but were ordered to do it anyway.  It's not much, but it's something.

At this point it may be a tempting option to go over his or her head.  Do you see that little red light blinking in the corner of your eye?  That's your career dissipation light and it just went into overdrive.

Nobody likes to be run over like that. Trust me when I say that your working life at that company will be miserable until you leave.

Going to your Human Resources office is only marginally better.  Your hostile workplace complaint will be taken, and your manager informed.  Don't expect your boss to be nice and sweet and remove the impossible task from your shoulders.

At the end of the day unless you convince your boss otherwise, you need to fulfill that impossible request to the best of your ability and document the situation.

If this becomes the norm then maybe it's time to find a new position.  Yes, times are tough but being miserable in a job you've come to hate is a terrible way to live.  Life is too short to be that miserable.

I hope this has helped you learn at least a bit about dealing with (what seems like) an impossible request.

If you have any techniques you are particularly fond of, send them in and I'll post them.

I leave you with a quote to ponder which I firmly believe and have seen attributed to many different people.

"Nothing is impossible, it just hasn't been done yet."

Christopher Carboni - Handler On Duty

isc dot chris at gmail dot com


Published: 2010-10-20

Tools updates - Oct 2010

Some of my favorite tools have been updated recently.  GnuPG was recently updated to version 1.4.11.  OSSEC was updated to version 2.5.1.  Speaking of OSSEC, there are a number of bloggers out there participating in the 2nd Annual Week of OSSEC.  Daniel Cid appears to be doing wrap-up posts every day with pointers to the various blog posts, so go check them out.  Here are the wrap-ups for days 1, 2, and 3.  There is some interesting stuff there for those who want to get the most out of OSSEC.  I also wanted to point out an interesting tip on using wireshark/tshark to decode SSL traffic by Mark Baggett and (fellow new GSE) Doug Burks.

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org


Published: 2010-10-20

Cyber Security Awareness Month - Day 20 - Securing Mobile Devices

Over the last few years, the mobile devices in our lives have become much more complex and powerful, and as a result, more attractive as targets for malware authors.   The iPhones, Androids, and Blackberries in our pockets (and the pockets of company executives) have more raw computing capabilities than the desktop machines of a few years ago (and the servers of a few years before that) and they run web browsers capable of running javascript or flash (hmm... haven't we seen issues with both of those technologies on other platforms?), plus they have built-in GPS capabilities that allow for tracking of our movements, and nearly constant access to the internet to potentially share that information (or any other data on the device) with "the bad guys."  Unfortunately, defensive capabilities have not kept pace.  To make matters worse, because of their size, these new mobile devices are small enough that they are also much easier to misplace (or steal).  For this reason, it is probably even more important to that the human being involved be even more vigilant than ever.  In the following discussion, I also make a somewhat artificial distinction between personal and corporate use of mobile devices.

Corporate usage

For corporate mobile devices, I would urge a few measures (where possible)

  • Encryption - if the capability exists on the platform you are using, whole device encryption could provide some minimal protection to corporate (or personal) data on the device should it be lost or stolen.
  • Remote Wipe - the ability to remotely kill or wipe a device that has been lost or stolen should be enabled if it exists.
  • VPN - where possible, VPN back through the corporate environment (understanding all the issues discussed in yesterday's diaries apply here, too).  This allows one to take advantage of proxies, firewalls, e-mail filtering of the corporate network.  When possible, use the mobile device as a thin client to access data in the corporate network or in "the cloud" rather than keeping potentially sensitive data on the mobile device itself.

Personal usage

For personal devices, the biggest thing is to remember that the defenses on these mobile devices are even slimmer than on our home PCs and laptops.

  •  Fight the urge to do things like banking, that might reveal information that could be used for identity theft, from your mobile device.
  •  Don't click on links sent via IM, Facebook, SMS

General usage

In general, there are a few things that should probably be done all the time to protect yourself and your personal and corporate information (and they may increase your battery life, too).

  • Turn off the GPS and data (3G/4G/wifi) capabilities when you aren't actually using them.
  • If anti-virus software exists for your platform install it.  It probably won't protect you from much, but if it stops even one attack, that's better than nothing.
  • If at all possible, don't mix corporate and personal use on the same mobile device.

I've been starting to think about mobile malware lately, and frankly, it worries me.  So, what are you doing to secure your mobile devices (both corporate and personal)?

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org


Published: 2010-10-19

SQL Slammer Clean-up: Picking up the Phone

Last time, we took the reporting up a level (http://isc.sans.edu/diary.html?storyid=9712) this time we need to take it up a notch. We’ve been using scripts and email to limit the impact of abuse reporting on your time, and you’ve seen the results: it’s not having much of an effect on the number of attacks hitting your perimeter. This is not unexpected, since the normal abuse-reporting process hasn’t cleaned these systems up already. It’s time to roll up our sleeves and pick up the phone.

I know it is scary to pick up the phone and talk to human beings-- I don’t like it myself. If we were people-people, most of us wouldn’t be into computers.

I’d like to split you up into two groups: people who are reporting attacks on your perimeter, and people who are carrying traffic from infected machines (in other words, the ISPs.)

If you’re responding to attacks I’d like you to identify the attacker that’s closest to you. Most of the IPs hitting my perimeter are China and the US, so in my case, I’d pick a US source. Look for IPs that have businesses or organizations identified in the contact information instead of large ISPs (we’ll deal with them below.) Next, do a little detective work, and research the contact information for that business. Give them a call, and ask for the computer or security person. Introduce yourself and the program. Try not to scare them too much; you’re trying to build community here. Be helpful, because they really need it.

For the ISPs, I understand the common-carrier issue, but that shouldn’t keep you from informing your customer that they have a pretty significant security issue. I’m not asking that you roll out a full-blow user-notification process. With the volumes that I’m seeing this is definitely a one-off process. You’re probably sitting in a pretty good position to not only contact the affected user, but also know their IT staff contacts already. Give them a friendly call and help them out. You might even get more business out of it.

Keep up the effort.


Published: 2010-10-19

Cyber Security Awareness Month - Day 19 - VPN and Remote Access Tools

Today we have a few diaries on VPN and Remote Access Tools.  We invite your comments on any or all of these diaries. 


=============== Rob VandenBrink Metafore ===============


Published: 2010-10-19

Cyber Security Awareness Month - Day 19 - Remote User VPN Access – Are things getting too easy, or too hard?

It seems lately to me that in IT  we no longer seem to have downtime, even in traditional "9 to 5" companies.  Laptops, smartphones, iPads and every other gadget out there all are internet connected, and more and more people seem to be online every waking moment.  And if they’re online, chances are they’re VPN’d in to keep tabs on things at work while they’re surfing social sites, playing flash games or whatever.  This is especially true now that VPN access is so easy, in fact it's now included in a number of smart phones and tablets.

Which brings us to the poor folks in IT.  Since everyone is online 24-7, and we’re seeing business sales offices or business partners from 12 timezones over with VPN connections in, this brings up a whole raft of problems:

When exactly can we do system maintenance?   I’m tired of waking up at oh-dark-early, only to find 6 users logged that you need to track down before you can start an upgrade.  You can’t seem to pick any time as a maintenance window without causing someone a problem. Who gets access to what.  All too often people have skipped over the data classification and server zoning steps.  Without those done, just exactly what is that business partner allowed to have when they’re VPN’d in?

The prevalence of cheap laptops, tablets, phones and electronic doo-dads, all with internet access and VPN access (especially now that we have SSL VPNs) seriously starts to blur the line as to what the corporate desktop is.  Worse yet, it blurs the line over who has bought and paid for that corporate desktop.  No matter what our policies say, we have way too many personally owned devices out there that have VPN access to corporate resources, but don’t have corporate security tools, logging or, well, anything else.  But you can bet they’ve got malware on them from the kids in the family ! (or the grown-up kids).  And just exactly how do you enforce a VPN policy and deny access to someone who wants to work after hours for free?  It’s a real challenge to make that point to a senior manager.

We’d really like to hear about any challenges you have faced on the topic of VPN access, and how you have solved them.  Even if in your view you lost the battle on one issue or another, please share – someone else may have a different approach that might help you out.   As always – our comment form stands ready to field any and all comments, questions and answers !


=============== Rob VandenBrink Metafore


Published: 2010-10-19

Cyber Security Awareness Month - Day 19 - VPN Architectures – SSL or IPSec?

There’s been a recent shift in VPN architectures over the last few years –we’re seeing new solutions being built that use SSL encryption rather than the traditional IPSEC for a VPN protocol.
The “traditional” VPN architecture involves a VPN concentrator (often located on the firewall, but in some cases it’s a dedictated box), which uses IPSEC protocols to authenticate, authorize and then encrypt all traffic between the end user and the corporate systems.  What this normally means in practice is ISA (udp/500 and/or udp/4500) is used for authentication and authorization, and ESP (ip protocol 50) is used to encrypt the traffic.  In most cases, NAT Transparency (NAT-T for short) is implemented, so that ESP is encapsulated within upd/500 to better deal with home firewalls (or hotel firewalls, coffee shop firewalls etc).  IPSEC VPN tunnels generally need VPN client software installed, and often a file-based VPN profile to connect up.

SSL seems to be where everyone wants to go.  The initial session establishment, authentication and authorization is done via the browser, and the VPN session itself is then done by downloading a VPN client in the browser (often java based), and running that.  This has a few major attractions – all the firewall issues go away, almost every firewall known is configured to pass SSL (tcp/443).  SSL is also well known and is “known to be secure” of protocol – in fact it is often configured to use more or less the same encryption protocols as the IPSEC VPN solutions (AES256 these days). 

Finally, most SSL VPN solutions don’t require a client to be installed in advance.  Any home PC, kiosk or whatever can connect up to the VPN, do some business, then disconnect.
I bet you can see where I’m going on this, and it’s all about policy.  Many corporations have “you can only connect with our hardware” policy.  Using home PC’s, kiosks or whatever allows whatever malware is on those units to access your inside network (or whatever your VPN authorization allows them to access that is.)

Perisistence is strike 2 against SSL VPNs.  Most SSL VPNs have a “zero footprint” option, that is supposed to delete all traces of the client after the session.  But periodically, every vendor has trouble with this.  We see problems where cached credentials or cached hashes allowing access are not properly deleted on exit, they’re left waiting on disk for a determined researcher (or their malware) to find.

A third strike is the fact that SSL, and SSL weaknesses, are well understood.  There are loads of SSL Man in the Middle tools out there.  Coupled with improper implementation, this can be a big problem.  Don’t forget that certificates server two functions – encryption and trust.  If you use a self-signed certificate, you’ve just defeated the “trust” side of things.  If users see a “I don’t trust this certificate” error every time they connect because the VPN Gateway was configured with a self-signed cert, they’ll see that exact same error if they’ve been compromised by a MITM attack.  Not only that, but you’ve trained your user base to press OK on certificate errors, so now they’re all at risk every time they see such an error on a banking or online retail site.

Is it “three strikes and you’re out” for SSL VPNs?  Don’t believe that for a second.  Every vendor is pushing us in this direction, all the new client improvements seem to be coming for the SSL versions only – IPSEC seems doomed to be the “legacy protocol” for remote access VPNs.

Do you use IPSEC or SSL VPNs in your environment?  Are you transitioning to SSL, or are you staying with IPSEC for the short term (or long term)?  Please, share you experience using our comment form.

=============== Rob VandenBrink Metafore ===============


Published: 2010-10-19

Cyber Security Awareness Month - Day 19 - Remote User VPN Tunnels - to Split or not to Split?

In remote access VPN solutions, one of the long standing discussions is around split tunnelling.  When a remote access VPN solution is built, there are two methods of routing traffic.  A dedicated
tunnel is, in english "when you are VPN'd in, all of your traffic goes through the VPN".  A split tunnel, also in normal speak, is "when you VPN in, your corporate traffic goes through the VPN tunnel, and your internet traffic goes the way it would go without any VPN at all”.


Both approaches have pros and cons, with IT pro’s lining up on either side.

If you split tunnel, then your internet traffic does not go to head office then back out again.  This should result in a faster internet session, especially if you are a few timezones over from the VPN gateway.  The problem with this is that their direct internet access bypasses all the corporate controls on internet security.  They are able to browse to any site, with no corporate firewall or IPS between them and the internet.   In the worst case, your remote user might be directly attached to the internet with no firewall at all.

If you have a dedicated tunnel, you very likely have a proxy server on the inside network as well.  This is because many firewalls will not take inbound VPN traffic and turn it around to send it back to the internet.  In many cases, having a dedicated tunnel may mean that your users are forced to use a proxy for their browser.  This means that they do not have internet access for their browser at all until they establish a VPN tunnel.  This may seem great to a security expert, but if your user is at a hotel, trying to use the hotel’s web portal to get internet access in preparation for getting internet access, that poor user is in a catch 22.  They won’t get internet access for the browser until the vpn tunnel is established, but they need a general purpose browser session in order to authenticate to the hotel’s system before they have enough internet access to start a VPN session.  To get around this, you’ll inevitably have to give some users “at home” and “at work” desktop icons, which will point to scripts that turn the proxy settings on and off.  Microsoft Group Policy has some nifty features in this area, where if you are at work (ie on a corporate subnet), you can have one set of workstation firewall rules and proxy settings, and if you are away (on any other network), you can have a different set of firewall and proxy settings.

As in all things, the final approach that is taken is a trade-off between security requirements and usability for the users (aka the business requirement).  What I’ve laid out above is by no means the whole story – I’ve seen other problems and solutions, and I’m sure you have as well.  We’d be very interested in the approaches you’ve taken, challenges you’ve seen, and what your final solution ended up being.  Please use our comment form to share.

=============== Rob VandenBrink Metafore


Published: 2010-10-19

Cyber Security Awareness Month - Day 19 - Remote Access Tools

With all the changes in remote access via VPN, other Remote Access technologies tend to get lost a  little bit.  Things like reverse SSL proxy access to terminal servers for instance.  We still see lots of these out there, and they have a lot of technical advantages. For instance, depending on the architecture, often the station that is providing the screen and keyboard to the end user never has access to the internal network at all - this gets around a lot of the issues people have about non-corporate computers accessing corporate networks.

We're also seeing more and more functions that used to be delivered by remote access VPN, but are now offered up on the public internet for all and sundry as web applications, protected only by a userid and password.  The fact that these apps are quite often not tested for secure coding as they are built is often completely overlooked.  What is also overlooked is that the userids to these sites can usually be harvested from the company website or linkedin, and the passwords can often be harvested from the company website or from any of the standard (language specific) wordlists.  Mind you, after taking SEC542, I'm starting to think that passwords are over-rated - in many cases on these applications you can simply bypass authentication completely !

=============== Rob VandenBrink Metafore ===============


Published: 2010-10-18

Cyber Security Awareness Month - Day 18 - What you should tell your boss when there's a crisis

The topic for day 18 of the Cyber Security Awareness Month is a subject that happens frequently in many organizations...information security incidents. Many companies have formal information security incident response teams, which help the organization to diminish the impact of incidents on the organization. One fundamental element of any information security response plan has to be the information  given to your boss during the crisis. Let's take a look at the incident response lifecycle diagram:

Incident Response Lifecycle

Source: Special Publication 800-61 Computer Security Incident Handling Guide page 3-1 

Preparation: When the team is preparing for an incident, you must determine what incidents are most likely to occur inside the organization. Risk analysis is crucial to determining  those incidents that are likely to happen to the information assets of the company. With your boss you should identify those risks that the company is willing to take and those that will not take. Management should have a clear perspective that each risk he decides to accept for the company may represent a future incident for which the company must be prepared. Here is where you should prepare the elements required to respond to potential incidents it they occur, as well as technical and procedural elements, organizational skills and above all the procedures that regulate the operation of the incident response team.

Detection and Analysis: There are several ways in which the incident response team can detect a security incident, such as alerts from monitoring systems, reports from employees or even reports from your own boss. In any of the above cases there will be tremendous pressure from the complainants to know what had happened and to take action against those responsible for the events. When you decide to give the official report to your boss, do so only if it is truthful and accurate information about what happened ,not speculation and assumptions, as much of this information may be used in legal proceedings or meetings with senior management, where any comments you make will be taken as absolute truth.

Containment, eradication and recovery: Once it is determined that the events constitute an information security incident, make an objective assessment of the situation, define a strategy of containment, eradication and recovery that is compatible with corporate strategies and present to your boss a work plan that takes a pessimistic view of the task duration, enabling you to respond to  contingencies that may arise. When we talk about the compatibility of this plan with corporate strategy it is important to consider the following variables according to the company's objectives: potential damage of resources, need for evidence preservation, service availability, time and resources needed to implement the strategy, effectiveness of the strategy and the duration of the solution. Before you begin execution of the plan, make sure your boss agrees with it and keep him informed of critical issues you might have. He will be your main support during the execution of this plan and you want to keep him focused on the parts where you need support.

Post-incident activity: Once the containment, eradication and recovery of the incident have, meet with your boss and other stakeholders and discuss the lessons learned and devise recommendations to prevent occurrence of similar events and respond more effectively to such events in the future. The idea is to maintain the commitment from your boss to the information security process and all incidents that might occur in the future.

Do you have more recommendations? Feel free to page us here. I will be updating the diary with all your input.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org


Published: 2010-10-17

Cyber Security Awareness Month - Day 17 - What a boss should and should not have access to

On day 17 of our yearly Cyber Security Awareness Month, we enter into the thorny subject area of your Boss. Today, we'll look at what a boss should, or indeed should not have access to.

Bosses are interesting people. The don't do what you and I do, they do different things, go to different places, mix with different people (most with new shiny technology), and face different day to day challenges.

Lets look at those day to day challenges, or risks as we call them.

You boss most likely holds the 'keys to your business'. They will know what your company is going to do next, they have information that could move your share price such as the date of launch for a new product, move on a new take over. All of that information is valuable. So, we all think about the risks to our bosses, but do they think about the risks they enter every day. Given that most CxO level bosses are not the most tech savvy people in the world how do we educate them to work in an online world where people want that information, and are willing to try and take it?

What do you do when you boss wants to go to a country where not just crossing a geographical boarder has the potential for having technology confiscated, but how about copied when they are in their hotel room? Spyware loaded onto their laptop they take with them so that e-mails are read, documents copied, and so on. 

When you boss comes to you and they want the latest iShiny technology, how do you show the risks associated with them using it?

Do you have a special executive group on your web proxy which gives these high value targets boarder access than the people in the offices they control? If you do, should you?

If you can pass on some tips on how you can educate CxO level executives to the risks they face, and how that impacts the services, and IT resources they should have access to, I'll add them to the bottom of the diary during today, and into next week.

Steve Hall
ISC Handler



Published: 2010-10-15

Cyber Security Awareness Month - Day 16 - Securing a donated computer

Day 16 ends week two of the Cyber Security Awareness Month. If you happen to get a computer that was donated to you, it is important to trust the software that is installed on it.

Formatting a computer does not erase the data. Before using the computer, it is recommended to completely wipe the hard drive and install from trusted medias. These two programs can be used to wipe a drive: WipeDrive (commercial only) and Active @ KillDisk (free and commercial). If you are familiar with Linux, you can also use dd or cp with /dev/zero or /dev/urandom.

Note that WipeDrive SystemSaver can wipe the data and keep the operating system intact but it cost $39.95.

Wiping with dd or Linux copy (free solution)

Boot with a Linux CD/DVD and one of these methods can be used to wipe a drive:

- cp /dev/zero /dev/hda or cp /dev/zero /dev/sda
- dd if=/dev/urandom of=/dev/hda or dd if=/dev/urandom of=/dev/sda
- dd if=/dev/zero of=/dev/hda or dd if=/dev/zero of=/dev/sda

The final step is to reinstall the operating system and all your favorite software from trusted clean medias.

If you know other method for wiping clean a donated computer, you can share them via our contact form.

Update 1: Eraser is a tool for Windows to remove sensitive data from a drive and Terence indicated that Seagate's Seatools can be used overwrite a drive with zeros.


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Le cours "Comprehensive Packet Analysis"  sera disponible en français à Québec le 5 nov 2010

FOR 558: Network Forensics coming to Toronto, ON in Nov 2010


Published: 2010-10-15

Cyber Security Awareness Month - Day 15 - What Teachers Need to Know About Their Students

Today's cyber security awareness month topic looks at the problem through the eyes of the teacher.  For most students, their teachers are not just people well versed in economics, mathematics, science, or history.  They also serve as mentors, role models, and confidants to their students and are expected to be able to demonstrate their vast knowledge of how to conduct one's self in today's society.  Unfortunately for many educators, especially those who are a bit advanced in their years, this new thing called the Internet has created a very large divide between students and their teachers, often leaving the teacher with little understanding of how to integrate their students' online experience into the classroom, the playground, homework, and extracurricular activities.

There are many resources online with ideas for teachers in terms of teaching cyber security ethics and etiquette to their students.  For example, see




But what we need to ask is "what should teachers know about their students?"  Being a parent with both of my daughters out of school and on their own (OK, my youngest is in grad school...) I have many years of experience watching the divide between them and their teachers as they were growing up.  Here are some of my observations, known to many of their teachers but completely unknown to others:

  • Homework is often done in collaboration with other classmates via online chat rooms, even if told to do it alone
  • Wikipedia is more valid as a research tool than the school library
  • In chat rooms and social media sites students can be very vicious with their comments about other students, their teachers, and their schools
  • Access to computers and the Internet is everywhere, and when told that they cannot use the Internet they will find a way to do so
  • There is little respect for authority while online, causing some students to routinely break laws that they would not dare to do in the physical world (for example, theft of intellectual property via file-sharing sites, or accessing pornography that is restricted to adults over the age of 18)
  • Students have created sites such as http://www.ratemyteachers.com/ where they discuss and "rate" their schools and teachers

I know that the list above is more focused on the dark side of what "digital students" are thinking and doing, but there are certainly many good things that the Internet brings which were not available to us when we were growing up.  So now it's your turn - use the "comment" link below to add your own observations about what teachers should know about their students when it comes to online behavior.  It doesn't matter if you are a teacher, a student, a parent, or a friend, let us know what you are seeing and hearing.  And while talking about the bad stuff students do is useful for awareness, we also would like to hear about the good things they are doing, too!

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2010-10-14

Cyber Security Awareness Month - Day 14 - Securing a public computer

Today, we will talk about the challenges in securing a publicly accessible computer, or "Kiosk". I will organize this in checklist form in part because I expect to add to this list based on user feedback. If you do have something to add, please contact us or leave a comment below.

First of all, a lot of this depends on the scope of access required. In most cases, the kiosk will access some form of network resource. Worst case: Generic internet browser (e.g. a shared break room computer). This is very hard to control and secure. It is a bit simpler if you are able to establish a list of specific resources (think about an airline check in kiosk).

I am only talking here about protecting the system, not about how to protect yourself while using a public system.

So lets start with the checklist:

  1. Location: The system should be located in an easy to view location. This will make it easier to supervise what people are doing.
  2. Policy: In particular if you allow access from the public, prominently post the usage policy. Maybe add it to the wallpaper, make the user click on it. Keep it simple so it can be understood in the 5-10 seconds a user will spend looking at it.
  3. Physical Security: Of course, there is always a change that the computer will "walk away". Keeping it in an open location will help with monitoring users and preventing them from removing parts. Lock down cables and alarms that sound when covers are removed may help (similar system like you find in retail stores). But be careful about enclosing desktops in desks. Provide sufficient ventilation to avoid fire hazards.
  4. In most cases, individual users and passwords are not practical. But whatever "default" user you use, should have minimal privileges.This will also make it easier to "reset" the computer between sessions
  5. The web browser will likely be the most important tool on a system like this. Make sure it is hardened. Disable any "persistent" features (cookies, safe passwords, cache...)
  6. Look into "Kiosk Software". There are various systems around for Windows, Linux and OS X to help you manage a kiosk
  7. Re-image daily. For a system like this, it should be possible to re-image the drive once a day. This will make sure no remnants are left over from prior uses. Parts of the system, like the users home directory, can be cleared on each log in. Automatic re-imaging can work from a DVD that is locked in the DVD drive or a second hard disk that is configured as read only. There are also hardware devices (usually used in computer forensics) that will allow you to connect drives and physically block write access.
  8. Enable an auto-logout on inactivity. This will help with cleaning up the system if a user just walks away and doesn't log out or close the browser
  9. Separate the system from the rest of your network. This kiosk should only be used as a kiosk and nothing else. It should not have access to your corporate network (unless this is why you need it) and no confidential data should be stored on the system.
  10. Limit what a user can do with the system. This can be tricky as you have to balance security with the need of the user actually use the system. For example, if this is a "break room" computer or a public computer in a hotel lobby, you probably want people to use a wide variety of web sites (Facebook? ). The usual parental guidance software can help establish limits. This software can also be used to establish time limits if needed.
  11. Keep logs. At the very least, you want to know what your users did with the system. Keep good audit logs as far as your local laws and company policy allows. Many desktop monitors now include cameras. It may be a bit too intrusive, but what about taking a picture of the person in front of the screen every 5 minutes?
  12. Limit physical access to ports. This can be tricky, as people for example may want to e-mail photos they have on a USB stick. At least apply standard precautions about disabling auto-run. But for example access to a firewire port is usually not required.

I am sure I missed something, so this will be updated throughout the day.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2010-10-13

Cyber Security Awareness Month - Day 13 - Online Bullying

Cyber Bullying/Harassment

The Internet is an amazing tool; it is full of valuable information and resources. However, just like any other tool, it is very dangerous if not properly used.

Among the dangers that await children is Cyber Bullying/Harassment. Chat rooms, profile rooms (such as myspace.com) and gaming rooms are among the most dangerous. These sites are not continuously monitored and have become an avenue for many types of bullying/hate speech. According to www.websafety4kids.org, 1 in 17 children have reported being threatened or harassed while online via email, IM or chat rooms. This accounts for an estimated 18% of actual abuse taking place.

There are many statistics available at netsmartz.org and websafety4kids.org as well as other sites. These statistics indicate that the most likely victim of cyberbullying are young people age 10 to 14. In reality we just don’t know the extent of abuse. Much of this type of activity goes unreported. Many times children and teens are afraid to talk to a parent, teacher or other adult for fear they will lose their privileges to use the Internet or they fear other types of reprimand.

With the increase in Cell Phones with data connections we have seen additional problems. We now have bullying going on with text messaging as well.  With a computer connection kids may be a little more cautious about what they do because there is a chance that mom and dad may come across information on the computer.  With a cell phone unless mom and dad get ahold of the cell phone, they have no idea what is going on.  Many of the data phones now make Facebook, MySpace and other social networking sites as easy to use on the phone as it is on the computer.  Many young people also wrongly believe that it is harder to track things done on a cell phone than on the computer.  Now we add to the mixture IPods, IPads, etc and we have even more avenues for possible attack.  

Many young people everyday receive threatening, harassing or vicious communications while using these devices. Many go unreported.  The sad reality is by the time we identify that a child is a victim it may be too late.  We hear stories on a regular basis about young people who are being bullied.  Many of these stories end with the suicide. As in the cause of Ryan Patrick Halligan http://www.ryanpatrickhalligan.com/.  I first heard of Ryan's story through the information that I received from I-Safe.  I have watched the video many times and each time it tears my heart out.  Ryan is just one of hundreds of children that chose that end.  

I am a volunteer for Iowa Internet Crimes Against Children Taskforce (ICAC).  As a volunteer I visit schools in our area and talk to kids about Cyber Safety - about Cyber Bullying.  I always try to emphasis that this is a very serious problem, a very serious issue.  I assure the kids that there are people like me who will listen, who do care.  I also assure them that this too will pass.  At the end of the presentation on Bullying I ask the kids to close their eyes.  I walk them through their life, graduation day - the empty seat next to them that should have been occupied by Ryan or one of the other hundreds that have taken their own life. I ask them to fast forward 25 years -  their child is in school and is being bullied, fast forward 40 years, their grandchild in school being bullied. I ask them to try to imagine how these things feel. I ask them to think about Ryan and all of the other children, think about their future and how they would feel if it were them that caused this pain.  I receive feedback from teachers, parents and students that this walk through time has had a tremendous impact on some of the kids.  They say that the next in class a lot of the kids want to talk about what they have heard. As I tell them and I truly mean it.... If I can save just one child....  just one Ryan I will feel as though I have accomplished something.

The Internet is a tremendous place, full of knowledge and adventure. It is a wide open, vast array of information, both good and bad. It is a place that can hold the key to education or the key to tragedy. There are no borders on the Internet, no boundaries. It is just as easy and fast to get to your local television station web site as it is to get to Korea, Japan, Germany or Russia.

It is important that we encourage our children, young people and teens to use this tool. However, we as adults need to become more diligent in monitoring and guiding the use of the Internet.

This education must start early. We need to talk to our children about the things that they see, the dangers that exist, and what they need to do to protect themselves from the Bullies.

For more information see:

Deb Hale Long Lines, LLC


Published: 2010-10-12

Oracle Critical Updates Released

A short while ago, Oracle released the notes for their Critical Patch Update for a number of applications such as database, middleware, business suites, Sun products and Java.  Due to the threats posed by successful attack, Oracle strongly recommends that users apply the CPU fixes for installed applications as soon as possible.  As always, it is recommended that you review the content available at the below URLs and test the updates prior to deploying these to your production environment.

More information is available at 

Oracle Java SE and Java for Business CPU Advisory - October 2010

Oracle Critical Patch Update Advisory - October 2010 

Scott Fendley
ISC Handler


Published: 2010-10-12

October 2010 Microsoft Black Tuesday Summary

Overview of the October 2010 Microsoft Patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-071 Cumulative Security Update for Internet Explorer (Replaces MS10-053 )
Internet Explorer
KB 2360131 CVE-2010-3325 and CVE-2010-3324 have been disclosed publicly. Severity:Critical
Exploitability: ?,3,3,3,?,1,1,3,1
Critical Important
MS10-072 Vulnerabilities in SafeHTML (Replaces MS10-039 )
Internet Explorer
KB 2412048 CVE-2010-3324 has been disclosed publicly. Severity:Important
Exploitability: 3,3
Less urgent Important
MS10-073 Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-048 )
Kernel Mode Drivers
KB 981957 This vulnerability has been disclosed publicly and is currently being exploited in the Internet ecosystem. Severity:Important
Exploitability: 3,?,1
Important Important
MS10-074 Vulnerability in Microsoft Foundation Classes (Replaces MS07-012 )
Foundation Classes
KB 2387149 No known exploits. Severity:Moderate
Exploitability: ?
Important Important
MS10-075 Vulnerability Media Player Network Sharing Service
Media Player Network Sharing Service
KB 2281679 no known exploits. Severity:Critical
Exploitability: ?
Critical Important
MS10-076 Vulnerability in the Embedded OpenType Font Engine
OpenType Font Engine
KB 982132 No known exploits. Severity:Critical
Exploitability: ?
Critical Important
MS10-077 Vulnerability in .NET Framework Could Allow Remote Code Execution
.NET Framework
KB 2160841 No known exploits. Severity:Critical
Exploitability: 1
Critical PATCH NOW!
MS10-078 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (Replaces MS10-037 )
OpenType Font (OTF)
KB 2279986 No known exploits. Severity:Important
Exploitability: 1,1
Critical Important
MS10-079 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (Replaces MS09-068 MS10-056 )
Microsoft Word
KB 2293194 No known exploits. Severity:Important
Exploitability: 1,1
Critical Important
MS10-080 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Replaces MS10-038 MS10-057 )
KB 2293211 No known exploits. Severity:Important
Exploitability: 1,1,1,1,1,1
Important Important
MS10-081 Comctl32 Heap Overflow Vulnerability
KB 2296011 No known exploits. Severity:Important
Exploitability: 1
Critical Important
MS10-082 Vulnerability in Windows Media Player Could Allow Remote Code Execution (Replaces MS10-027 )
Microsoft Windows
KB 2378111 No known exploits. Severity:Important
Exploitability: 1
PATCH NOW! Critical
MS10-083 Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution
Internet Explorer
KB 2405882 No known exploits. Severity:Important
Exploitability: 1
PATCH NOW! Critical
MS10-084 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (Replaces MS10-066 )
Microsoft Windows
KB 2360937 This vulnerability has been disclosed publicly. Severity:Important
Exploitability: 1
Critical Important
MS10-085 Vulnerability in SChannel Could Allow Denial of Service (Replaces MS10-049 )
Microsoft Windows, IIS
KB 2183461 No known exploits. Severity:Important
Exploitability: 3
Important Important
MS10-086 Vulnerability in Windows Shared Cluster Disks Could Allow Tampering
Microsoft Windows KB 2294255 No known exploits. Severity:Moderate
Exploitability: ?
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

Thanks to fellow handlers Johannes, Scott, and Guy!

Adrien de Beaupré


Published: 2010-10-12

Cyber Security Awareness Month - Day 12 - Protecting and Managing Your Digital Identity On Social Media Sites

As we all know, social media sites are designed to share information such as who and where you are and what you are doing. This can be a great way to connect to close friends and family, or even re-connect with old classmates and old co-workers.  And it can be a great way to find and connect to new groups with interests common to your own.  

However, there is a fine line with what and how much information to share with these different subsections of your life.  Think about this.  Every public message you post on your Twitter account can be spread around the world in a matter of seconds and possibly will be indexed and found in real-time searches 24/7.  These messages have the power to compromise your safety or your identity, jeopardize your future employment, or just embarrass yourself to the world.  

First, review and use privacy settings.  Most every major social media site such as Facebook, Twitter, and LinkedIn have the ability to control how visible your information and pictures are on the site as well as any search engines who parses that data.  You need to decide how visible you want your contact and profile information, videos, photos, and other posts need to be, and take the time to set the appropriate controls within the media site in question.

Second, don't share information that can help people steal your identity or locate you. It is quite possible for someone to look up your name in a phone book (digital or dead tree version) and find your address.  The combination of that publicly available information and your public post about hanging out with friends watching Monday Night Football across town could be enough for someone to take advantage of the situation and break into your house. 

Third, in most social media sites, you have the ability to limit who can see photos or video tagged with your name.  It is probably best that you do not upload photos or video showing you or your friends doing illegal or inappropriate things in the first place.  But you need to take advantage of any settings that allow you to control how visible this content could be if your friends not exercise good common sense.  Is it really all that smart to post an x-ray image of your broken arm while you are in high school, if your dream is to play baseball professionally?

Fourth, no matter if it is a tweet, a Facebook status update, or something else,  it is recommended that you restrict the delivery of this information to your circle of friends only

Fifth,  online interactions between coaches and potential student athletes must be managed cautiously. Coaches are under even heavier scrutiny than many other people due to NCAA regulations.  Wishing a recruit "Happy Birthday" on their public wall may be considered inappropriate in some circles. It is even possible that re-tweeting a media post by the coaching staff about a recruit visitation could be construed into something that could be a minor violation.

Sixth, be especially careful of malicious links sent via social media accounts.  There are many URL shortening services on the Internet that help when you only have 140 characters in a particular tweet.  Some third party clients to social media sites have the ability to show you the full URL which was masked in the update.  Enabling this will give you some confidence that you are actually going to a known and more-trusted site. In general resist the urge to click on items sent to you no matter the source.

Seventh,  like all computer accounts, you must protect social media accounts from being hijacked.  Using strong passwords on your social media accounts is a must.  And you must be careful to not disclose your credentials to would-be attackers.  Using your credentials, attackers could use your account to lure your circle of friends into clicking a malicious link sent from your account.

Last but not least, think twice before posting or even clicking on a post.  Consider what could happen if a post becomes widely known and how that may reflect both on you (as the poster) or your school or workplace.

There are likely other ideas of how to better protect and manage your digital identity when it comes to social media.  Share these with us via the contact form or comment on this article. 

Scott Fendley
co-ISC Handler on Duty



Published: 2010-10-11

Cyber Security Awareness Month - Day 11 - Safe Browsing for Teens

Welcome to Day 11 of Cyber Security Awareness Month. Today we would like your advice on protecting your teens' browsing experience.

As a parent of a teen and a tween, this is a topic I have had to become opinionated about and have presented to parent groups on occasion. While there is certainly a lot of overlap with the risks to pre-teens, the increased autonomy of teens can amplify the risks.

What sort of things are teens interested in on the Internet:

  • Websites and searches about their idols
  • Email
  • Games
  • Virtual worlds
  • Instant messaging
  • Social networking
  • File-sharing and peer-to-peer Applications

and the risks they can encounter:

  • Objectionable Content
  • Malware
  • Predators
  • Career limiting moves - what gets posted on the Internet stays on the Internet

In my opinion the last of these, career limiting moves, is  by far the biggest risk to the long term success of your teen.  This is the concept that what gets posted on the Internet stays on the Internet, and in a competitive career environment increasingly companies are using publicly available information available through social networking sites to aid in hiring decisions.  Questionable activities posted on social networking sites could have an impact on your teen's ability to get that dream job many years down the road.

If you have been following the previous days of the ISC's CSAM you are already aware of the wide range of technical, and non-technical controls that are available to you to help protect your family. I would argue that the most useful control is education, both for you and your teen.

With teens come at least a bit of rebellion. If your home defenses prevent your teen from accessing something they want to access they will find someplace where they can access it, most likely a friends place or a library. You can only protect them so much, so you need to provide them with the knowledge to understand the risks and hopefully protect themselves. For that reason the biggest defense you have is education. You need to educate yourself on what your teen is interested in and educate your teen so they can understand the risks and warning signs of trouble.

In order to be educated yourself you need to:

  • start now. The gap between what you know and what your teen knows is already huge and it is not going to get any smaller.
  • communicate with your teen and become familiar with what your teen is interested on the Internet.
  • join the sites, including social networking sites that your teen frequents.
  • become your child's friend on these sites.
  • be aware of who your teen has "friended" on these sites.
  • talk to your teen about what information they should and shouldn't reveal.

Something else to remember is that with the increasing availability of apps for mobile devices, their Internet experience may not be limited to the family computer.

Now that I have rambled on, it is your turn to tell our readers, what techniques, technical or non-technical you use to help protect your teens on the Internet.

As usual your advise is welcome through our comment tool below or through the contact page.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2010-10-11

SQL Slammer Clean-up: Reporting Upstream

By now you've sent off your abuse reports (http://isc.sans.edu/diary.html?storyid=9664) and have tracked the responses in your spreadsheet. I'd wager that so far you haven't got great results in that column yet. You've likely received bounces that the abuse contact doesn't exist, or that the mailbox is full. Others have given you nothing but silence. What next?

It's now time to go up a level. With a little bit of detective work, say a traceroute or a bit of DNS probing you can identify the organization that supplies the IP addresses belonging to the infected system. There is a nice guide on how to go about that here: http://www.rickconner.net/spamweb/tools-upstream.html  Add a new couple of columns to your tracking spreadsheet, identify the upstream provider, the contact, and when you send your report.

You will want to update your abuse report to take into consideration the needs of the up-stream contact. You have be even nicer, and provide the initial abuse report as well as your justification for escalating to the up-stream (e.g. Abuse contact does not exist, or mailbox full, no response after a week, etc.)

Why didn't we report to all levels of the up-stream contact in the initial report? My simple answer is crowd psychology. If you send out your report to many levels of abuse contacts, and copy SANS, and law-enforcement, I can gurantee you that nearly all of your recipients are going to ignore your report, thinking that it's someone else's problem to handle.

It's a process, it will take some time. Don't give up because you got an automated response.



Published: 2010-10-10

Cyber Security Awareness Month - Day 10 - Safe browsing for pre-teens

Day 10 begins week two of Cyber Security Awareness Month. This week's topics will focus on security issues affecting children and school.

Today we solicit input on how to provide a safe browsing experience for pre-teens.

Risks specific to pre-teens that we want to address:

  • Installation of unwanted applications: adware, spyware, malware, either though social engineering or drive-by exploitation.
  • Commercial/Marketing tracking: it has been reported that children are targeted more than adults (http://online.wsj.com/article/SB10001424052748703904304575497903523187146.html)
  • Exposure to unwanted ideas: what those particular ideas are, I'm leaving up to the parents.
  • Communication with the wrong people: I'm also leaving the definition of "wrong people" up to the parents.

Of course, looking over that list they're also the same risks you want to protect your sales staff from as well.

In constructing our strategy we could consult these earlier CSAM entries:

An initial strategy approach may look like:

  • Use special unprivileged account: junior doesn't need root access.
  • White-list: this is one of the few cases where white-listing is tenable.
  • Lock-down the browser: use tools such as noscript, noflash, adblock, etc. Coupled with aggressive white-listing, the admin/parent can pre-configure each site as they're added to the white-list.
  • Secondary filtering: web-proxy filter, openDNS, use layered protection for the whole family.
  • Only allow computers in in public-spaces: very young children will always need an adult, older pre-teens should have them close by to field questions and help with decisions-- which you can post humorous tales about later on facebook.

Again, that sounds a lot like a decent small-business/corporate-environment approach. Not everyone will have the tools or time to build a comprehensive system for their home network. How are parents handling this out in the field?


Published: 2010-10-09

Cyber Security Awareness Month - Day 9 - Disposal of an Old Computer

We have all needed to dispose of unused computers at home and the office.  I would like to encourage each of you to consider a responsible choice that helps the environment while at the same time safeguarding yourself, your company and your data.

Before disposing of any computer please consider the following as they may be helpful:
  • Save all important documents off onto a secure removable storage device, preferably encrypted media.
  • Wherever possible, extract any software license keys for reusable software.
  • Wipe your hard disk with Kill Disk, Boot and Nuke or like software.  I typically keep/destroy my drives, but before I do I will wipe them by attaching them to another computer with my handy hard drive adapter kit.  The adapter kit allows me to attach SATA/IDE drives to any computer through the USB port. (It's handy...and has bailed me out many times.)
  • Remove any reusable cables or parts such as a network card. (A backup NIC is always handy...)
  • Remove any batteries and recycle them properly.

Here is a list of URL's of the recycling programs from some of the well known players in the computing industry.  Mileage will vary based on your needs.  I have used Best Buy's program for no other reason than its convenience and accessibility.  Many other's have different things to offer.  Review them all and see which suits you. 


HP http://www.hp.com/hpinfo/globalcitizenship/environment/recycling/unwanted-hardware.html
Apple http://www.apple.com/recycling/computer/
Dell http://content.dell.com/us/en/corp/d/corp-comm/GlobalRecycling.aspx
IBM http://www.ibm.com/ibm/environment/products/recycling.shtml
Lenovo (IBM) http://www.lenovo.com/social_responsibility/us/en/
Gateway http://www.gateway.com/about/corp_responsibility/env_recycle.php
Best Buy http://www.bestbuy.com/recycling







Donating your computer is always a good choice as well.  However, remember if you choose to donate any computer there are things that should be done to prevent harm to you or your company and exposing sensitive data. You will read more on Securing a Donated Computer another day. That is the topic for Day 16, stay tuned...

Please comment below if you know any additional steps or resources out there to assist in computer disposal and as always contact us via our contact form.  Any sites that help out for countries other than the US would be great to share.

Kevin Shortt
ISC Handler on Duty




Published: 2010-10-08

Patch Tuesday Pre-release -- 16 updates

The upcoming Tuesday promises to be a busy one at the Internet Storm Center.  Tuesday October 12th is the next Microsoft Patch Tuesday and it looks like a record number of bulletins.  If my math is correct it looks like 14 bulletins covering 49 vulnerabilites.

Detailed information can be found in the advance notification bulletin.

As a brief summary:

  • 12 updates for various Windows flavors, including 3 criticals
  • 1 important update exclusive to Windows servers,
  • 1 critical update for Internet Explorer
  • 2 important updates for Microsoft Office

I suggest that those of you responsible for testing, and rolling out these updates get some sleep this weekend while you can!


-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2010-10-08

Cyber Security Awareness Month - Day 8 - Patch Management and System Updates

Welcome to day 8!  Today we want your opinions on patch management and system updates.  In this modern world where the gap between vulnerability and exploit is rapidly closing, and exploit code is being delivered via popular websites and ads it is as important as ever to keep your system and applications up to date.

To get you started...when I set up a Windows computer for my family and friends the following are essential:

  • ensure Windows Update is turned, set to install recommended updates and configured to install updates daily at a time when the computer is likely to be on.
  • install Secunia Personal Software Inspector (PSI). PSI monitors your Windows applications, lets you know when applications are out of date, and provides download links to help remediate. PSI is free for non-commercial use.

Now it's your turn.  What tools and techniques do you use to ensure the systems under your control are up to date?

As usual the comment feature below or our contact form are awaiting your sage advice.


Dave R. Commented that he likes to use WSUSOffline.  It can be carried, software and patches, on a USB thumb drive.  Just plug it in and patch.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2010-10-07

SORBS.NET - email RBL issues

The email RBL service at sorbs.net seems to be having issues.  Christopher alerted us to the issue yesterday around 4pm EST - his servers were blocking all inbound mail from google and yahoo based on the sorbs database.  At the time we ran  a few queries, it seemed to be more of a database problem than an actual blocklist entry.  Since then it seems to have gotten worse, the main sorbs.net website is down as well. 

Two points:

1/ Tactically, if you are using sorbs.net to filter your email, you probably will want to temporarily modify your configs until they are back and in good health

2/ Strategically, putting all your eggs in one basket for anything in IT is not great.  Always architect core services so that they'll work if one component or another fails - everything breaks sometime, that's just life in IT.  Personally, I don't put a lot of faith in RBL services, but if I do use them for a client, normally I'll configure several of them (or at least 2), or even better, use the input from the RBL as only one factor in the "is it spam?" question that we need to ask for every inbound email. 

************** UPDATE ******************

It looks like this service was under a DDOS attack, they expect to be fully back in a few hours (as of 2:45-ish EST)


=============== Rob VandenBrink Metafore ===================



Published: 2010-10-06

Cyber Security Awareness Month - Day 6 - Computer Monitoring Tools

As security professionals we all know when our computers are trying to tell us that there is something wrong.  We also have our own techniques for poking around "under the hood" looking for trouble before it gets out of hand.  Like car enthusiasts, we know what each rattle and noise means and we take steps to correct the problem early.  But what about our parents and extended family members who don't have the same skills?  Like the temperature gauge or "check engine" light in your car, how does a typical user know that something is wrong?

Most newer operating systems have a system health and monitoring capability.  For example, in Windows 7 you do this:

  • Log on as a local administrator on your computer, click Start, and then click Performance and Information Tools.
  • Under Advanced Tools, select Generate a system health report.

And in Windows XP you take these steps:

  • Log on as a local administrator on your computer, click Start, and then click Help and Support.
  • Under the Pick a task, click Use Tools to view your computer information and diagnose problems.
  • In the Task pane, click My Computer Information, and then click View the status of my system hardware and software.

But what else can a non-technical user do that is simple and easy?  We published a diary about this subject a couple of months ago and got some really cool ideas.  Take a look at the comments and see if there is anything else you are aware of.  Use the "comment" link below to add your ideas to this diary.

Marcus H. Sachs
Director, SANS Internet Storm Center



Published: 2010-10-06

Cyber Security Awareness Month - Day 7 - Remote Access and Monitoring Tools

It's 10pm, Sunday night, Anytown.   In a quiet house, a phone rings.

Ring Ring, Ring
Your Mother in Law:
"Hello Dear, I've got an XYZ error message on my screen, I've powered off and back on, and the message is still there.  Can you help?"
You (to yourself, in your inside voice):  "which means she's powered here *screen* off and on instead of her computer, here we go again!"
You (to her, in your out-loud voice); "it really sounds like i need to be there to fix this - can I stop by tomorrow after work?"
Her:  "But I'm bidding on an WXY, and the auction closes tomorrow - can't we get this fixed tonight?  Plus you know how I like to play those fun online games my friend showed me over my coffee every morning
You (inside voice again): "yeah, another XYZ, everyone needs more of those!  and don't get me started on those malware infested flash games!  how am I going to get this fixed before work tomorrow? She's an hour's drive away and I have an early start tomorrow at at work!"
You (to her, out-loud):  "Will you still be awake in an hour, I can drop by later tonight still if that's ok?
Her:  "that'd be lovely - I'll put a pot of coffee on, and I baked some cookies today.  If this is like last time you'll probably be a few hours!"

Wouldn't it be great if she had an icon on her desktop that would let you remote control her computer, right now?
Well, the good news is, there is such an app.  And like so many things in IT, the bad news is, well, the bad news is that there is such an app.

Remote control tools like gotomypc (now gotomysupport), logmein, webex, bomgar and the like used to be considered *evil* apps in many IT groups.  They pretty much allowed strangers to remote control your desktop computers over SSL or other encryption (or obfuscation or clear text) protocols, and there weren't a lot of tools out there to control how they got used.  I can remember talking to my CFO a number of years back, trying to explain why gotomypc (which was new at the time) was not a good alternative for him, that he should use the corporate VPN access.  If you look at what these remote access tools do, it sounds a lot like the ultimate goal of any pen-tester, or of any of the "bad guys" who of course also want to compromise your network security - total control of internal resources without your knowledge.

On the other hand, as these tools have matured we're seeing a large uptake in their use in corporate IT groups, to the point that most IT groups will often have such a solution in place to remotely support their own users.  We also see it routinely if we call for support on server operating systems or network infrastructure problems - almost the first thing most support techs will do is mail you a remote support link so they can see the problem first-hand and work on it themselves (using your computer).

So for all our family remote support needs, there's dozens of free tools out there that do exactly this.  For our corporate needs, similarly, there are dozens of tools out there that do exactly this, for a per-seat or per-site license fee. 

Even in this new world where we've now "blessed" these remote access tools, people are missing some of the "Securtiy 101" questions around them.  Things like - how good is the encryption on this tool?   Where exactly does the session data transit?  Am I running this through an appliance in my own datacenter, or am I being run through the provider's infrastructure on the internet (people call this "the cloud" these days, like that makes it safer somehow).   If the session data goes to the remote support tool provider, what country are they in?  How does their privacy, search and seizure legislation compare to yours?  Does the tool offer a drive map, which might allow file transfer without the user knowing?  The answers to these questions might not matter too much to your Mother-in-Law, but your CEO, CIO and Corporate Counsel should all care.

The "traditional" remote control tools like VNC or MS Terminal Services have been made a lot less effective by firewalls, especially personal firewalls turned on by default in the OS.  They can still be deployed (and controlled) in a corporate setting where you can do things like have Group Policy open workstation firewall ports when at work, and close the affected ports when away, but these tools aren't much help when your CEO is trying to VPN in from a hotel behind a firewall and 2 timezones away. 

What tools do you use for remote support?  If you run a corporate network, how do you control use of remote control tools?  Does your firewall or IPS control this stuff, do you restrict it at the desktop using Group Policy or browser settings, or have you just resigned yourself to the fact that anyone who can dial one of your end-users' extension can social engineer themselves into a remote session on your network?

Please use the comment form to discuss - this is a debate that's been around for a while, but seems like we have new answers every time !

 =============== Rob VandenBrink Metafore  ===============


Published: 2010-10-05

Cyber Security Awareness Month - Day 5 - Sites you should stay away from

As we wander down this path that is Cyber Security Awareness month it reinforces that on one hand the Internet is a source of an unimaginable wealth of  information and knowledge and on the other hand is a scary place where evil lurks in dark corners.  The question for the day is how can you explore the Internet while avoiding nasty sites.

As a security practitioner I am often taken off the beaten path of the Internet to do research, so it is important that I have some help avoiding nefarious sites. Here are a few tools that  I use:

  • I use Firefox and the Web-of-Trust add-on to help me identify potentially naughty sites.  Web of Trust adds colored circles after all links, green for good, yellow for questionable, and red for bad.  McAfee SiteAdvisor and other products do very similar things.
  •  I use OpenDNS and utilize the Web Content Filtering capability to provide a layer of protection.

 If you have other tips on how to avoid nasty sites, please feel free to comment below or contact us via our contact form.

 Update from the contact form:

There are a number of websites that can be used to verify the reputation and safety of websites:

Locking down the host file is also an alternative.  The MVPs hosts project provides a good method to avoid ads and some troublesome sites.

If you still run Windows XP or earlier and must run as an administrator there is an intriguing way to browse the web as a non-administrator


-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2010-10-04

Online Voting

We've just had a long weekend here in AU so being at work on a Tuesday morning is always a little bit depressing.  However today a little article in wired caught my attention and made me chuckle "Voting System pwned by Michigan Wolverines" (http://www.wired.com/threatlevel/2010/10/dc-voting-system-hacked/) and in the Washington Post "Hacker infiltration ends D.C online voting trial" (http://voices.washingtonpost.com/debonis/2010/10/hacker_infiltration_ends_dc_on.html)

The crux of the story is that computer experts were asked to prod the vulnerbilities of an online voting system. They did and ......  well the two headlines say it all.
If you need a chuckle, have a read.



Published: 2010-10-04

SQL Slammer Clean-up: How to Report

Hopefully you've read the kick-off (http://isc.sans.edu/diary.html?storyid=9637) and have looked at bit at your logs. Perhaps you've worked out what the cost of slammer is to your network on the back of a npkin. In most instances it probabably would cover the price of your lunch, or it's enough to justify the small amount of time this exercise will cost you.

Create a simple spreadsheet listing the IP addresses that have been hitting your perimeter. You'll want to track who the abuse contacts for that network are, when you send your notice, and what kind of response that you get (we'll add more columns later this week.)

Next you'll be running a few WHOIS requests. Everyone has a favorite way to do this (send in your comments on what you think is the easiest way pull abuse contact information.) Depending on your resources, you may have time to tackle all of them, others may only have time to do handle 25 or so. Everyone should try at least ten, if only to get a good sample of the different types of response that you get from your first efforts. Just remember that there are a lot of people doing this along with you this month.

When you compose your first message I want you to keep a few things in mind:

  • Be polite and professional-- you are trying to enlist the help of a stranger. Take a look at some of the emails that come into your abuse contact email if you have access. Mimic the alerts that you respond positively to, avoid the behaviors of those you dislike.
  • Provide logs-- if you don't initially provide logs, that will be their first request of you. Demonstrate that you're on the level with your first message and set them up to succede. It's ideal to provide the logs in GMT, but if that's not convenient, provide the GMT offset for your logs. There is no shame in getting probed/scanned on your perimeter, so there is very little to hide from them.

Feel free to cite these diary entries or use us as a reference. Tom Liston has other (humorous) tips on how to make an abuse report here: http://isc.sans.edu/diary.html?storyid=9325

Take a few minutes to reach out. Statistically-speaking, you're most likely to get no response or an error message (we'll cover how to proceed in those cases later,) so don't be daunted or give up because of that.



Published: 2010-10-04

Cyber Security Awareness Month - Day 4 - Managing EMail

We covered phishing and other nefarious fraudulent emails in yesterday's diary. Today's entry is about preventing unauthorized access to your email and some email handling issues.

Unauthorized Access to your email can occur for a number of reasons

  • you picked a simple password, and someone guessed it
  • you picked a good password, but someone guessed the "password reset" question (remember "Wasilla High" ?)
  • you accessed your email account from an unsafe public terminal
  • you accessed your email account from a safe personal computer, but did not use SSL

Derived from this are a few steps you can take to make things harder for snoops:

  • Pick a good long password. And do change it every now and then. I am certainly no fan of "change your password every xx days" rules, but for online email, changing it on occasion actually makes good sense -- it is your only chance to lose any "stalkers" you might have picked up over time. Your ex, your dorm roomie, etc, might know your password, and can passively snoop your inbox without you ever noticing. Only changing the password shakes them off.
  • Actually go through the "I forgot my password" routine once. Just pretend that you don't remember the password. And then watch carefully how hard (or not) it actually is to regain access. There are still mail providers out there who require you to have a 10-character password, but at the same time force you to use "The color of your first car" as a password reset question. Having a password reset option is good (heck, I also forget passwords if the vacation is good and long :), but the reset option should be as hard to guess or fake as the original sign-on. If you got the choice, pick a provider that allows you to write your own question/answer pair and that includes some sort of out of band notification like SMS.
  • For the unsafe public terminal, well, don't log into your email there. Within a couple months, all of us will anyway carry web enabled mobile phones, and those shady airport and hotel PCs will hopefully then follow the "internet cafe" into merciful obscurity.
  • If you are already using a mobile phone or *pad or *book for email access "on the go", make sure that your email client is set to use SSL/TLS. HTTP, IMAP and POP3 should all be avoided if they are not paired with SSL/TLS for encryption (HTTPS, for example). Remember, WiFi signals can be intercepted and recorded by everyone in range. Without encryption, eavesdroppers get to see your login credentials and all the email that you download and read.

EMail Handling

"Reply to all" was not invented for people who click faster than they think. On occasion, these embarrassing broadcasts of a person's naiveté make everyone at the office cringe. Thus, if you are using "reply to all", check carefully who is on the recipient and cc: lists. And do everyone a favor and never reprimand a hapless reply-to-all person by also replying to all with an admonishment. 

"Unsubscribing" also has its pitfalls. If you try to unsubscribe from some list that you never actually subscribed to, chances are that you just confirmed to some spammer that you actually read their email. Only use "unsubscribe" on things that you vaguely remember ever having signed up to, and use "mark as spam" for all the rest.

Last but not least, EMail is a poor medium to convey irony or sarcasm. As useful as email is, the more contentious a discussion gets, or the more back-and-forth replies pile onto replies, the better off you likely are by picking up the phone, and having an old-fashioned talk.

If you have other tips on how to keep email safe and secure, please comment below or use the contact form.


Published: 2010-10-03

Canada's Cyber Security Strategy released today

Public Safety Canada released their version of a Cyber Security Strategy today. My first impression is that the document is a good start, albeit a bit late. It does demonstrate that the government is trying to show leadership in this area, which is a good thing. What the strategy document lacks is the pragmatic plan and specific steps required to implement it. The document will also serve as the report card for Canadians to evaluate the progress of the various departments that currently handle aspects of cyber security within the levels of government. Particularly Public Safety. In twelve months from now all of the items in their strategy should be reality. Each of the three primary areas the strategy covers are equally important in the long term, and require a significant investment in time, funding, cooperation, partnerships, and leadership. Government systems, applications, and networks must be secured. New better partnerships must be created with all stakeholders in the private and public sectors. The public have the right to expect both guidance and assistance in securing their home computers and identities. 

I believe that this truly underscores the need for a national CIRT/CERT in Canada, an organization that can help Canada meet these requirements and follow the steps as laid out in the strategy, as unfortunately it does not currently exist.

It is a step in the right direction, however many more are required.

The strategy is outlined here:

Tell us what you think, or comment below!

Adrien de Beaupré, Handler, SANS Internet Storm Center
Senior IT Security Consultant
Intru-shun.ca Inc.


Published: 2010-10-03

H went down.

Well the bad news is the H root servers were not available for over 18 hours. The good news is that practically nobody noticed. As it turns out a fiber cut and poor weather took out access to this cluster of root DNS servers. https://lists.dns-oarc.net/pipermail/dns-operations/2010-October/006142.html shows the explanation for the outage. While the outage had no direct impact on Internet users, it does point out the necessity of proper design for redundancy. Graph of the H availability:

Adrien de Beaupré
Intru-shun.ca Inc.


Published: 2010-10-03

Cyber Security Awareness Month - Day 3 - Recognizing phishing and online scams

On day 3 of Cyber Security Awareness Month 2010 the topic is Recognizing phishing and online scams. Which is an interesting discussion. For example, would phishers still bother if no one clicked and freely entered their credit card and personal information? Would 419 scammers bother if no one responded to their messages? Since there is a profit motive behind the miscreants actions if there were a diminishing return, or the actual possibility or prosecution, would we continue to see so many of their emails and web sites? Philosophical questions aside, in oder to reduce the harm of scammer and phishers the people receiving the bait need to be able to recognize the messages as such and not respond or click.

Don't click or respond to the following:

  • If it sounds too good to be true, it is.
  • If the message does not appear authentic, it probably isn't.
  • Do the content of the message appear in search engine results?
  • If you hover your mouse over the link does your browser or security software silently scream at you?
  • Seeing silly typos, formatting, or grammatical errors a professional would not make.
  • If the message asks you to send your information to them, rather than the other way around.
  • If you don't have an account with the company supposedly sending the email!

Here are some useful links:

  • http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx
  • http://www.us-cert.gov/reading_room/emailscams_0905.pdf
  • http://www.gongol.com/howto/recognizephishing/
  • http://www.surfnetkids.com/safety/how_to_recognize_phishing-21760.htm

This is just a start, please send in your suggestions on ways to avoid falling for scammers by recognizing the signs.

Update: Leigh sent in the following quiz to assist in detecting phishing/scams:


Adrien de Beaupré



Published: 2010-10-02

Cyber Security Awareness Month - Day 2 - Securing the Family Network

Manufacturers really aren't doing many of the home users any favours. Devices are sold with worse than lame default settings in the guise of usability. Personally I think that many manufacturers are underestimating the capacity of people to follow instructions, but then I guess Heinz Ketchup does have on the instructions "put on food", so maybe I’m wrong.

Manufacturers could make things easier for us and many of them kind of do. We now have external hard drives where the backup is a push of a button (even my mother knows how to drive that one) and many of the network devices come with one button configuration settings to secure the network. Personally I've had limited success with this, but maybe I'm buttonny challenged. 

I know that your home network is as secure as you can possibly make it, but alas your neighbour’s, cousin, brother, parent, grandparent, etc, network is not up to the same specs.  It has been or will be used in the future to spread evil such as Zeus, Stuxnet and even Kevin’s favourite, slammer.  Securing the PC helps, but you do need to secure the network as well.
So lets get stuck into it. 

  • Make sure that the device connecting to your service provider at least has some statefull filtering capabilities. They should only allow outbound traffic, but you may wish to check that.
  • Change the default Passwords. Many devices come with default passwords, typically admin or blank. Many people still have their internet facing devices with these default passwords.
  • Use long passwords.  It will only be used infrequently, so it might as well be a long one.  You’ll want to write it down and keep it safe, use paper and not a file on the computer. Providing you don’t staple it to your windows, keeping the passwords written down should be fine.
  • Control who connects. Whether you have a wired network or wireless make sure you know what is connecting to your network, your laptop, fridge, media centre, etc. You might want to consider using mac filtering. Not the best, but better than nothing. 
  • If there are security settings available use them. Keep in mind that the security of your network is often dependent on the least secure device.  For example I have a couple of older devices that can only use WEP 40 keys. So if I want to use it I either reduce the security of the whole environment, or as in my case, I have a second access point in a little DMZ off the main internet connection.
  • For wireless networks WPA-PSK is the minimum to use. 
  • Harden devices.  Just like corporations any device you connect to the network should be hardened. Many of the network connected printers have so many services open that will never be used, so shut them down. 

Now unless you want to be the extended family’s internet helpdesk (might be the only way you get to see them) I suggest that you write down down basic instructions for them, or set things up so they never have to touch it again.

I’ve made a start feel free to add those things you do for your family to keep their network clean.

Mark H


Published: 2010-10-01

Cyber Security Awareness Month - Day 1 - Securing the Family PC

This year we are going to focus on steps that people should be doing with respect to securing their personal corner of cyberspace.  Some of the subjects may include technical procedures such as turning off certain ports or services or modifying software, but we really want this to be more about the person rather than the machine.

To get the month started we will spend the first week talking about the computer your parents or your family uses.  We'll get to children and schools next week, but this week let's stay focused on the adults.  Many of us are our parents' system administrators (as well as our extended family to include brothers, sisters, aunts, uncles, cousins, grandparents, and anybody else who claims to be related to you especially when they remember that you've got half a clue about this thing called the Internet) so it's important to pass along tips to our "users" whenever we are performing maintenance for them.

So today let's look at some common sense advice about the family computer.  Yes, we all know the mantra about keeping the anti-virus software updated and the system patched (we'll talk more about that in a few days) but what else should we be doing?  Some of the things that I recommend for the family PCs I work on include:

  • Keep all computers in full view (no hidden machines, no illusion of privacy)
  • Document computer details in writing (serial number, software, receipts, BIOS password, etc.) and keep the documentation in a fireproof box or safe
  • Use an uninterruptable power supply (UPS) for PCs, laptops have their own built-in UPS - the battery
  • Keep all of the hardware and software manuals, plus any software CDs/DVDs in one place that is easy to find
  • Use a cable lock to keep intruders from stealing the computer should there be a break-in
  • Throw a towel over the webcam (better:  unplug the webcam)
  • Unless it needs to always be on, consider turning it off when not in use
  • Keep plenty of room around the PC so that air can flow through to cool it

What else?  Use the comment link below to add your own ideas and comments to this list.  It is definitely not complete, but should get the discussion started.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2010-10-01

Cyber Security Awareness Month - 2010

October is Cyber Security Awareness Month, and as we have done the past three years we plan to use our handler diaries throughout the month to conduct a deep dive into various security issues.  In 2007 we covered a large range of subjects based on what our readers submitted as ideas.  In 2008 we took a closer look at the six steps of incident handling.  Last year we examined 31 different ports/services/protocols/applications and discussed some of the major security issues plus passed along reader comments on tips and tricks for securing it.

This year we are going to "borrow" an idea from Lance Spitzner and focus on ways to Secure the Human.  In other words, we are going to talk about Layer 8, the carbon layer.

We're still finalizing our list but here is how we think it will go each day in October.  We plan to discuss the actions taken by people, rather than ports, protocols, software, etc. as we've done the past few years.

Week One (Oct 1-9) Parents and extended family
1 - Securing the family PC
2 - Securing the family network
3 - Recognizing phishing and online scams
4 - Managing email
5 - Sites you should stay away from
6 - Computer monitoring tools
7 - Remote access and monitoring tools
8 - Patch management and system updates
9 - Disposal of an old computer

Week Two (Oct 10-16) Children, schools, and young friends
10 - Safe browsing for pre-teens
11 - Safe browsing for teens
12 - Social media usage
13 - Online bullying
14 - Securing a public computer
15 - What teachers need to know about their students
16 - Securing a donated computer

Week Three (Oct 17-23) Bosses
17 - What a boss should and should not have access to
18 - What you should tell your boss when there's a crisis
19 - VPN and remote access tools
20 - Securing mobile devices
21 - Dealing with insane requests from the boss
22 - Security of removable media
23 - Importance of compliance

Week Four (Oct 24-31) Co-workers
24 - Using work computers at home
25 - Using home computers for work
26 - Sharing office files
27 - Use of social media in the office
28 - Role of the employee
29 - Role of the office geek
30 - Role of the network team
31 - Tying it all together

By the way, Cyber Security Awareness Month has expanded beyond the United States.  Since 2007, Canada also recognizes the month of October for cyber security awareness.  If you know of other countries that are recognizing October as Cyber Security Awareness Month, please pass them to us via our contact form and we'll update this diary to get a more complete list.

Canada:  http://www.publicsafety.gc.ca/prg/em/cbr/index-eng.aspx
United States:  http://www.dhs.gov/files/programs/gc_1158611596104.shtm

As the month goes on all diaries in this set can be found with the following link:  http://isc.sans.edu/tag.html?tag=2010%20cyber%20security%20awareness%20month

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2010-10-01

Cyber Security Awareness Month Activity: SQL Slammer Clean-up

It's Cyber Security Awareness Month, and it's about more than just educating users-- security professionals can participate a little too.  I want to start an additional track to the Internet Storm Center's Cyber Security  Awareness Series.  This will be a month-long series of diaries to supplement our weekly topics.

It was near 05:30 GMT on Saturday, 25 January 2003 when the Slammer worm started to spread. Some of you probably remember where you were when you were first alerted to that incident. For those of you who didn't get to experience that first hand, there's a pretty decent Wikipedia article on it (http://en.wikipedia.org/wiki/SQL_Slammer). As I write this, I note that it's well over 7 years later. But SQL Slammer alerts continue to be a top talker on my perimeter IDS.

It's time to do something about that.

Slammer actvitiy has been written off as "background radiation" for long enough.

Througout this month I'm going to continue on this topic to inspire people to try something new. If you're not looking at you logs, I want you to look at them. If you're not reaching out to abuse contacts, I want you to send a few emails and make a few phone calls. If you're not helping your customers clean up their systems, I want you to experiment and reach out to help a couple of them. See what happens. See if you can make a measureable difference.

I pulled the IDS and darknet logs from the day job. From just one day I see 153 unique source IP addresses generating IDS alerts, and on my external darknet I see 63 probing UDP/1434. How many do you see hitting your perimeter? How much bandwidth is being consumed that just that activity? Can you quantify that into a dollar amount?

That's your homework for today. More to come.