Lessons

Lessons

What’s old will be new again.  Or, as in the old Jewish proverb: “Who is wise? One who learns from every person.

My next infosec conference talk will be at the ISACA Western New York Controls & Compliance conference, on May 7

Lessons from the Orange Book will be a talk about how the “old” first principles of computer security still apply in the era of the Cloud and IoT.

After I deliver the talk I will blog a summary of it here.

So That Was BSides

So That Was BSides

Forrest Fuqua, coordinator of BSides Roc – featuring #hatchan

As cool as it was being at BSides Rochester yesterday, because of my role in it I did not get to attend any of the talks!

Jason Scott – Keynote

Lucky for me, almost all the talks are now or will soon be online! See the whole raft of videos here.

And then there’s #hatchan. It’s not just a hat, it’s an institution. It’s a WiFi hotspot. It’s a server. It’s hackable. At the end of the day, when he shut it down, there was an audible groan from a segment of the attendees.

Ransomware

Ransomware

You have probably seen news of businesses and institutions being attacked by ransomware, and having to pay tens of thousands of dollars to get rid of it. Names like CryptoLocker, Fusob and WannaCry have floated by. But, what is ransomware? How does it work? How can I avoid being stung?

Simply defined, ransomware is a specific type of malware that denies its victims the use of their data until a ransom is paid.

Ransomware attacks typically operate as follows:

  • The trojan is installed on the victim computer system
  • It collects a list of the files it can access that it will encrypt
  • It contacts a central server, operated by the attacker
  • The server generates a unique encryption key for that victim, which will be stored on the server and sent to the trojan program on the victim machine
  • The trojan encrypts the targeted files using that key. In modern examples, this encryption is quite strong
  • Once the encryption is complete the trojan destroys its local copy of the key
  • The trojan then communicates to the victim that the files have been encrypted,
  • It offers to provide decryption after a payment is made, usually within a fairly narrow time window.

Ransomware gains access to victim machines through the usual malware routes: users click on dodgy links in email, or open malicious file attachments. Web pages or banner ads that have been compromised can provide “drive-by” downloads of all kinds of malware. Whereas other malware may join victim computers to botnets, get them to start mining cryptocurrency, or participate in distributed denial-of-service attacks, ransomware has the simple goal to get money to its operators immediately.

The files that ransomware encrypts are usually documents and spreadsheets, images, music and video files, HTML and source code files, and ZIP archives. Ransomware does not typically attack the other software on the system. Thus, a victim’s copy of Office and Photoshop may be undamaged, but all their work in those systems will be unusable. Also of note: most ransomware encrypts files on all available network shares as well as the local disk. So a small office can be wiped out from just one infected computer, since small offices often only have a single hierarchy of file shares and everyone can get to them.

If implemented well — and it frequently is — the server-to-trojan protocol of generating a key, encrypting with it and then discarding the local copy of that key is extremely difficult to crack. When a business confronts a ransom demand, often the cheapest way to get back into operation is to pay the attacker. Despite all the larger reasons that this is a horrible idea, the equation of paying $X to get the decryption key against a possible $X00 to $X000 to recreate all the data makes the decision to pay a no-brainer. The sole glimmer of good news here is this: the vast majority of attackers, when paid, actually provide the key and allow recovery of the data. In some cases, they have even provided technical support to assist “customers” having difficulty doing the decryption. Why? If they do not keep up a reputation for providing what is paid for, the “market” will stop paying them and seek alternate means of recovery. And they just want the money.

There is one strong defense against ransomware: backups. The backups should be as current as is practical. Real-time backups are ideal but not always feasible. But if a business is only facing the prospect of recreating one or two days of data as opposed to weeks or years, then a decision not to pay off criminals becomes much more reasonable. To be safe from the encryption of a ransomware attack, backups should be stored somewhere that is not constantly connected to the main systems, or in any case not accessible as a normal file share. So if you run a backup system in the office that places all the backups on a server, do not also use that server to host file shares.

With good recent backups in hand, the strategy for responding to a ransomware attack is much less stressful: clean or re-image the machines affected, restore the data, get back to work. As I am fond of saying, security, done correctly, is almost boring.

Ads Just Keep Getting Worse

Ads Just Keep Getting Worse

“Relevant” is the ad industry’s current excuse for all the spying, tracking and intruding on our lives that they are currently tormenting us with.

Good NYTimes article through here – click!

They “need” to suck down every aspect of our personal lives and habits and idle thoughts… so they can show us better sneaker ads. Sneaker ads that creepily show up the minute we register to run in a 5K. Or walk past a Foot Locker.

This is why I block all ads, everywhere on the Internet. I was reading the descriptions of what it’s like for people experiencing this kind of ad stalking and I have to admit: I can’t relate. I experience exactly none of it. And I’m glad.

When media websites grouse at me for running an ad-blocker, I mentally respond, well, make the ad experience less hideous. Make it less of a personal violation. Wipe out the malware. But these things, they will not do. Instead, they scold and threaten. So if a site still won’t allow me to proceed without white-listing it in my ad blocker, fine. I move on with life.

And oh yeah… if you think it’s not getting worse… the New York Times article linked above mentions ad-blocking as a possible course of action. Not too long ago, that was a glaring omission.

And the creepiest of all, the mother lode of creepy, is Facebook. #DeleteFacebook!

Anyway. Get uBlock Origin for all your PC browsers. Brave for mobile, and add Better Blocker for iOS. The mobile solutions aren’t as comprehensive as the PC, but they are the best I’ve found so far.

Breaches

Breaches

Not Beaches!  BReaches!

Ah yes, breaches.  Not really a much better movie, I’m afraid, yet we keep seeing it over and over.  Big splashy headlines touting eye-popping numbers, followed by unsolicited offers of credit monitoring from companies who are really, really hoping their arbitration clauses hold up.

They do seem to arrive in clusters, also.  The latest one-two punch is Marriott, then Quora.  Marriott managed to get hacked and then not detect it for four years, finally now disclosing that half a billion-with-a-B guest records were exposed.  Credit cards, passport info, all the good juicy stuff.

This revelation was followed-up last night by Quora revealing that “only” 100 million-with-an-M records were breached.  This email notification went out overnight and resulted in 150,000 people going, Dammit, my Quora account got hacked! and 99,850,000 people going, Wait… what?  I have a Quora account?

In any case, the odds are very good that you have been among the nine-or-ten digit totals of a few data breaches already.  Here are a few tips on how you can deal with this and get on with life

  1. Take the monitoring.  When they offer you credit monitoring free for a year or so, take it.  Can’t hurt.  Worth the price. But you probably won’t need it because of the other things you are going to do on this list, like…
  2. Freeze your credit.  Go to each of the major credit reporting agencies’ websites (EquifaxExperian, TransUnion) and follow their process for freezing your credit reports.  Yes, this will make impulsively opening new credit accounts more difficult.   Why do you say that like it’s a bad thing?
  3. Check your statements.  Look for any phony activity.  Your issuer will make good on anything you report as fraudulent on your credit cards if you report it promptly.  Don’t wait.  By the way: banks are not obligated the same way to make good on fraudulent activity on debit cards – even if you use them as a credit card at the point of sale.  So in general, don’t do that.  I only use my debit card in the bank’s ATMs.
  4. Check your credit report.  Like a lawyer, the credit report checking site you want is not on TV!  Ignore all the catchy jingles and flying pigs with smartphones, and go to the only non-scammy site out there: annualcreditreport.com
  5. Manage your passwords.  We’ve talked about it in the past: how your passwords need to be different at every site you log into.  If they got your Quora password, let that be all they got.  For those of you who are not already using a password manager, the best advice I have is this:  START USING A PASSWORD MANAGER RFN.  There are things sites can do to make a password-file data breach lower impact;  hashing and salting are not just cooking techniques!  But not every site does the right things, and not every site does the things right.  And it only takes one failure to give everyone a bad day.  So you have to protect yourself, and using complex passwords that are unique per site is how you do that.  And the only way to keep those passwords all straight is with a password manager.
  6. Enable Two-Factor Everywhere.  Two-factor authentication is becoming widely popular since the vast majority of sites are now able to leverage things like Google Authenticator apps on users’ smartphones.  This means that dedicated hardware tokens are no longer required, and the barrier to users adopting it for their own logins are as low as they can be now.  Be sure you use this wherever it’s available: it means the difference between a password compromise being annoying vs. Game Over.

If you can get yourself to where you are doing these six things, Breaches can be another movie that you just make fun of.

IT v Security

IT v Security

One of my best friends is an IT guy, with about the same amount of career experience as I have.  (We’re old, get it?)

When we get together, I notice that we each show the distinctive mindset of our specialties: he’s always thinking, How can I get this to work?  And I’m always thinking, How can I break this?

And yet, it was he who sent me this:

Don’t be put off by the length – the time will fly by
Uptime 3: Climate Change

Uptime 3: Climate Change

Data centers with thousands of computers in concentrated amounts of floor space do have to expend enormous amounts of energy keeping things cool.  Your home data center can almost entirely ignore this issue, except where your computers have to be enclosed.

Server Closet.  Or at least, a server IN A closet.

At some point, you will want some of your servers out of sight.  Any machine that provides some service via the network without being needed in front of you is a server.  Home aesthetics will at some point demand that the thing get out of sight.

Your computer’s case has one or more fans that circulate air through it for cooling.  The fan draws in room air, heats it some with heat generated by the components operating inside, and then ejects it back into the room.  A typical room is large enough to absorb this without moving the needle much on the overall room temperature, so the process can continue more or less indefinitely.

The problem you encounter when putting a computer into a closet is, soon after the door is closed the computer is drawing in and heating already rather-hot air, and the temperature in the closet starts rising.  Much over 95F/35C, and you’re going to start having components on your system board begin to behave erratically or fail.

So don’t let things in there get too hot.  Check if it’s heating up steadily in there, and open the door a bit if you have to.  If you can, add a vent at the bottom of the door, and an exhaust fan or two at the top.  If you get a couple of 180mm fans that are designed to be installed is computer cases, you can probably work out how to power them outside a case, and you will find that they are really, really quiet.

Note: however you route your network cables in and out of the closet, be sure the door is not pinching them every time it opens or closes.  Eventually, a conductor in there will break and you will get to 1) do a really “fun” troubleshooting session, then 2) shop for a new network cable. 

Another thing you will want to avoid during the heating season is letting the air get too dry.  If that happens, you will have a tendency to build up static electric charge on yourself as you move around.  You can potentially zap your computers when you touch them, damaging random expensive things inside them. 

If you can add humidity to your environment, do so.  Get the relative humidity to about 50%, give or take 10%.  But (and this is important!) do NOT use a misting humidifier, one that sprays droplets into the air to evaporate there.  Be sure to use a humidifier that evaporates the water inside it, so the vapor that comes out is pure water.  If your humidifier sends droplets of tap water into the air, when the water evaporates, it will let the salts and minerals dissolved in it float down to the surfaces in the room, forming a fine white dust that you will see everywhere.  This dust has the potential to short out connections on printed circuit boards, causing all kinds of very expensive havoc.

Also don’t let the wiring in your server closet get away from you.  Like this guy did.

There are worse than this.  See /r/cablegore

Uptime 2: The Power

Uptime 2: The Power

Your home is your data center.

Maybe this sounds like a stretch but, unless you live a very low-tech existence (like this guy, perhaps?), this is how we all live now in the 21st century.  Oh sure, you are not going to have to have raised floor to accommodate miles of wiring, or forty tons of lead-acid batteries for power leveling, or gigantic Liebert chillers for cooling down hundreds of servers.  Still, it would be a good idea to give some thought to how your environment can be more comfortable for the dozens of computing devices that make modern life tick.  We don’t necessarily have to keep our homes to the strict environmental standards of large data centers.  Still, it pays not to subject our computing devices to too much environmental stress. 

Consider power. If a device works from a battery, which you recharge when you can, then it will be less sensitive to fluctuations in the power that comes out of your wall sockets. But devices that work straight off your line power can be quite sensitive to spikes or sags. Even if they take the power through a transformer (“wall wart”) it probably offers little or no protection from spikes that can damage the equipment.

Batteries directly power the large data centers, while being continuously recharged from line power or generator 

You won’t have a large roomful of batteries through which to pass all your electricity, providing an absolute filter against voltage sags and spikes. But for any of your digital devices that run on AC power out of a wall plug, you need to consider how to condition the power they get.  Though there are many options, the ones I want you to consider are a good surge suppressor and a UPS. 

Surge suppressors are best for:

  • Devices that have some internal battery capacity, e.g. laptops
  • Devices that will not lose data if the power drops — at least, no data that you care about

Not all surge suppressors do much in the way of suppressing potentially damaging surges.  Some are no more than power strips with a marketing makeover.  I use sites like The Wirecutter to figure out which ones are worth my attention.

For devices that have much more severe consequences when the power drops, you should be looking at a UPS.  A UPS is a teeny-tiny version of that roomful of batteries you see above: the line power keeps a battery inside the UPS charged, and that battery is what actually sends power to your equipment.  Consider a UPS for:

  • Desktop computers
  • Servers
  • DVRs
  • Networking equipment – cable or DSL modems, firewalls, switches, WiFi access.

UPS’s are sized in “VA” which means volt-amps.  Think of a VA as a unit of current to be supplied.  The more VA you have, the longer power will last after a utility failure.  But the larger the device(s) being powered, the faster it draws down VA from the UPS, so the less time you get. You can use a larger UPS to get more time or to power more devices.  Remember, for a desktop computer, you’re going to want to power the display, and any attached external hard drives as well.

I typically use a UPS between 750-1000 VA for a desktop computer.  This gives me enough time to finish up what I am doing, or at least get to a decent stopping point before I run out of juice.  If I can shut down my computer on my own terms during a power outage, I count that a win.  But in case you are not home, be sure every desktop and server is using the critical feature of most UPS’s: to connect a data cable and run a small background app that gracefully shuts down the system when the UPS informs it that the batteries are almost drained.  Otherwise, all you will have done by hooking up the UPS is delayed the sudden power failure by a couple of hours.

Another trick I have enjoyed during a few thunder-stormy evenings is using a smaller UPS (maybe around 500-600 VA) to power all my network gear.  The network stuff is less demanding and so lasts longer.  The result is, after two hours with no power from the utility, my server and desktop are dark.  But my iPad and my phone are happily using the WiFi to fetch email, check social media and even watch a little Netflix if I want.  I can even use that UPS to recharge my mobile devices as needed.

Uptime

Uptime

Every one of us has a data center to care for.  Not everyone takes it as seriously as some do.

The mouseover text for this one reads:

The weird sense of duty really good sysadmins have can border on the sociopathic, but it’s nice to know that it stands between the forces of darkness and your cat blog’s servers.

Point being, what’s trivial to you or me is not so trivial to someone.  And if that someone is a member of your household then you need to take it seriously, if for no other reason than shalom bayit

Think about the things a data center does to create a fundamentally good environment for the computers it houses: climate control, power protection, redundancy, fire protection, physical security.  

But Kahomono, I hear you saying, my house is not a data center!  Oh no?  Let’s talk about a job I had a few years ago.  OK, quite a few years.  But still: we were opening a new data center for a major NYC bank.  We had three computer rooms: the Mainframe room had 8 IBM 390s.  The Time-Sharing room had 4 Honeywell DPS-8s.  And the Mini room had about a dozen computers of various makes: Data General, Pr1me, Tandem, Digital.  There were also a handful of IBM PCs floating around, with which nobody was very impressed.  So let’s round up and say that this “Data Center” — and it was surely that — had about 30 computers housed in it.

How many computers in your home now?  Do you even know?  I can say that in a typical home housing a family of four, you probably have… more than in my 1980’s era data center.  40?  Maybe close to 50?  Consider that your phones and tablets, your set-top boxes, DVRs, gaming consoles, “smart home” controllers and endpoints, not to mention every “smart” appliance you connected to your poor overtaxed WiFi, are all computers at least as powerful and capable as that VAX in our Mini room back in the day.  So if you only counted your desktops and laptop computers, you missed the mark by around 90%, is my guess.

And every one of those computers is capable of violating at least one tenet of information security.  (Remember CIA?) 

  • Confidentiality: it could leak information about you and your activities that you would rather it didn’t.  
  • Integrity: It could damage or alter information it holds, making it less useful or even harmful to you
  • Availability: you could lose information you don’t want to lose.  Think emails, tax returns, photos, music collections, movies, saved game progress.

So what do you do about it that doesn’t turn you into that guy in the cartoon above?  More on that to come.

this post originally appeared on Kahomono – It Means Lucky.