Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Mailbag - "Attacks" SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mailbag - "Attacks"

We got an email to the list today that got me to thinking.  Alyce was concerned because of "Attacks" toward her computer that were being logged by the firewall that is part of the locally installed antivirus suite.  Alyce wisely checks the history and logs section on a fairly regular basis but admits to being a novice.  Recently Alyce observed that about every ten minutes the same IP was trying different attacks to gain access to the computer.  As was stated in the email "I know that no one is going to jump through my computer screen, but it is scaring me..."

It is scary to know traffic coming toward your system is not friendly.  The internet is not a safe, nice place where you can leave your computer open and no one will bother it.  However, if you keep your system patched, run antivirus software and have your firewall turned on, you are pretty safe from the externally initiated attacks that are aimed at your system.  Most tools are automated and are looking for home systems with vulnerabilities.  There are far to many open and unprotected system's out there to go after then trying to compromise one that takes effort.

The bigger worry actually comes from what the user at the keyboard is doing.  Currently as I write this, I have to make a decision as to whether I should rebuild my box.  I keep it patched and locked down to what I need.  I don't run as administrator and I run a firewall and antivirus software.  All of this it seems, could not save my computer from one of my kids who got on it to surf around the internet. It appears they have picked up something on their travels as my computer is not running right.  Even through all the lectures of not clicking on every link out there just because Google returned it, the message still did not get through.  The attackers don't have to break in if you open the door for them. 

Trying to teach the user community to be careful of where they go and what they click on seems to be a never ending saga.  How many years have we spent trying to educate the end users?  I have a couple of family members that unintentionally keep creating their own malware zoo on their computers.  No matter how much I try to caution and explain, it obviously isn't getting through.  I'm sure many of you have the same problem and similar users.  The problem is trying to bridge the gap between those who work in the computer world and those who just use it.  So, I would like to compile a simple, best practice list for safe internet travels for the "non computer savvy" home/work user.  If you have any recommendations for best practices/advice for this list, please send them in and I will compile the results.  I'll post the results of this in a diary next week.      

 

Lorna

165 Posts
ISC Handler
I have one user whose laptop I have to re-image about every month or two. Another user of similar profile (non-technical user) goes for a year or more without anything except an occasional call about something suspicious. I can't figure out what the difference is between them is. Oh yes, the "problem" user now also has an Android phone that has started claiming 2 dhcp granted ip addresses on the wifi network, instead of just one. What's with that?
Moriah

133 Posts
Personally my recommendation is to run sandboxie on the PC and force the users browser & IM client to run in the sandbox, which should include any office/pdf docs launched from within the browser. Not 100% and will not defeat a persistent user who will not only click the link but download and run the exe ("but it told me I had to disable my AV client before installing" :P ), however does a reasonable job stopping drive by infections and reduce the number of rebuilds.
W60

14 Posts
Above and beyond the standard AV/Patch aspects the advice I've had the most success with for home users is to use OpenDNS and set it to block malware sites. Very simple to setup and can be automated effectively by showing them (or doing it yourself once) how to program it into their router's DHCP lease settings (if possible).
Next is to advise on getting good AV that includes a Sandbox feature (the recommendation of Sandboxie above is also good of course). If they get in the habit of using those disposable sessions for most work it can be very effective, and greatly removes context (like site types, links they shouldn't trust etc.) from the equation, thus reducing complexity and tech induced brain-freeze.
W60
8 Posts
Make them all Run Limited Accounts.
Period !
W60
20 Posts
I've found that a lot of those who almost always get the regular malware infections are into internet poker and other gambling sites or are porn addicts. These two things are a guarantee to cause problems on your computer. I told my brother-in-law a while back that I was done fixing his computer if he could not stop the online gambling.

I also tell them to not install Facebook apps and to be weary of links. I tell them it is better to sound like a dummy by asking a question than it is to look like a fool when your computer spams your buddies in your name.
Lee

13 Posts
I have severely reduced the need for my services to clean malware infected home machines by doing the following (all of these are likely no brainers to most, but I will include them anyway) :

1) Install AV and set it to update/ Full Scan (I start with MSE, but move to Kaspersky for those who need more advanced protection)
2) Install Malwarebytes Free as a secondary check (train the user to update/run it once every week or two)
3) Install Secunia PSI to lower the vector of infections (this keeps their tools up-to-date in the back ground)
4) Verify that Windows Updates are set to auto update
5) Setup OpenDNS (as noted above by another poster - I love this service)
6) When ever I use their machine (remote or local) I tend to recheck to make sure things are setup and running correctly - scans are run, etc.

Performing just these steps I rarely have had to help with malware issues. There was a recent event where one person opened a "DHL shipping receipt" from an email and they tagged... but the PDF vulnerability was a known one and Adobe had not been updated yet.
Lee
4 Posts
Ditto for Sanboxie, OpenDNS, and running as limited user.
In addition I remove Java, all PDF readers and have them use Chrome for browsing and PDFs, which auto updates and eliminates a separate flash install. I also disable Java Script and have them allow for sites they use that require it. There are plugins that do a better job. Also run WoT and tell them to only click on sites with a green circle.
If they are open to new things and are just using the browser, then I try and get them browsing from a USB Backtrack, Ubuntu or other distro.
Lee
2 Posts
Post infection
1) MSSSP Microsoft Standalone System Sweeper http://connect.microsoft.com/systemsweeper
2) Malwarebytes
Lee
2 Posts
I recently sent this off to a coworker but have configured the same on many of my neighbors systems.

First off – for internet only – think about making a bootable USB drive – you can use Fedora, Ubuntu, Backtrack – it will boot fast and if done right the OS will be untouched by any changes that happen while browsing.
 
If he/she MUST surf from Windows then

1)  OS
1a) Surf from a limited user account
1b) Keep UAC enabled with a password and come install stuff if he/she needs it
2) BROWSING
2a)  Download Sandboxie and run Chrome from within the Sandbox (set Chrome as default browser and delete all shortcuts from her desktop except Sandboxie)
2b)  Surf using Google Chrome – keep it updated and it will keep itself updated for PDF and Flash
2c) Think  about disabling javascript in Chrome (will definitely impact browsing experience – but can rt-click enable on any site)
2d) Firefox with plugins
2d1)  No script
2d2) ABP ad block plus
2d3) Ghostery
2d4) WoT – Web of trust
3) Reduce attack surface  Uninstall any software not needed – especially
3a)  Java (most exploited)
3b) Adobe reader (use Foxit if you need a reader and do not want to open PDF’s in Chrome)
3c) Adobe Air
3d) Shockwave
3e) Flash (remove for all browsers – Chrome has its own)
4) PATCH - Keep the rest of the apps updated
4a) Secunia.com PSI – this will tell you if you are patched (do not trust it for Windows patches – use Windows auto update)
4b) Windows Update (set it to automatic)
4c) iTunes – run the updater
4d) Chrome – update outside of Sanboxie occaisionally – then delete the default container
5)  Cardinal rules
5a) Do NOT install any software you did not go looking for (e.g. if the site says – Plugin XXX is required to view this page – do you want to install it? Exit the screen without clicking anything <alt><F4> - then if you REALLY need to see that screen go download the file from the correct site (Oracle.com for java, adobe.com  for shockwave, flash, air)

5b) Do NOT run as administrator – run as a limited user account
5c) Run AV – preferably security suite set it to auto update – tweak settings to be aggressive – this will auto block a lot of malicious sites
5d) Occasionally run MSSST from a USB stick to validate no rootkits/malware
5e) Occasionally run MalwareBytes to check for other nasty bits
5f) Don’t click on links, copy and paste link to a notepad and see where it goes – if it goes to a URL shortener like Bit.ly or QR code – do not follow it – you have NO idea where it goes (there are service you can paste the link into to see where it goes)
Lee
1 Posts
> PDF vulnerability was a known one and Adobe had not been updated yet.

I have also started using Foxit. I use it because their MSIs actually work well[1], but I figure it adds a layer of protection.

Dan

[1] Why can Adobe make working MSIs for Flash and not for Reader?
Anonymous
Many years ago I created a virgin XP build PC and left it connected to the internet. A couple of days later I showed my kids the disk activity light when the box was doing nothing but connected to the net, I pointed out how slow certain applications were when online. I then turned the router off and lo the disk activity light went out, and the previous applications ran reasonably well.

I then put Linux (Ubuntu) on all their computers. Initial teething problems while I weaned then off their various Windows Applications. A decade later and they are still using Linux and now think it rather cool to be different.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!