InfoSec News

Hopefully you've read the kick-off (http://isc.sans.edu/diary.html?storyid=9637) and have looked at bit at your logs. Perhaps you've worked out what the cost of slammer is to your network on the back of a npkin. In most instances it probabably would cover the price of your lunch, or it's enough to justify the small amount of time this exercise will cost you.
Create a simple spreadsheet listing the IP addresses that have been hitting your perimeter. You'll want to track who the abuse contacts for that network are, when you send your notice, and what kind of response that you get (we'll add more columns later this week.)
Next you'll be running a few WHOIS requests. Everyone has a favorite way to do this (send in your comments on what you think is the easiest way pull abuse contact information.) Depending on your resources, you may have time to tackle all of them, others may only have time to do handle 25 or so. Everyone should try at least ten, if only to get a good sample of the different types of response that you get from your first efforts. Just remember that there are a lot of people doing this along with you this month.
When you compose your first message I want you to keep a few things in mind:

Be polite and professional-- you are trying to enlist the help of a stranger. Take a look at some of the emails that come into your abuse contact email if you have access. Mimic the alerts that you respond positively to, avoid the behaviors of those you dislike.
Provide logs-- if you don't initially provide logs, that will be their first request of you. Demonstrate that you're on the level with your first message and set them up to succede. It's ideal to provide the logs in GMT, but if that's not convenient, provide the GMT offset for your logs. There is no shame in getting probed/scanned on your perimeter, so there is very little to hide from them.

Feel free to cite these diary entries or use us as a reference. Tom Liston has other (humorous) tips on how to make an abuse report here: http://isc.sans.edu/diary.html?storyid=9325
Take a few minutes to reach out. Statistically-speaking, you're most likely to get no response or an error message (we'll cover how to proceed in those cases later,) so don't be daunted or give up because of that.
-KL (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
We covered phishing and other nefarious fraudulent emails in yesterday's diary. Today's entry is about preventing unauthorized access to your email and some email handling issues.
Unauthorized Access to your email can occur for a number of reasons

you picked a simple password, and someone guessed it
you picked a good password, but someone guessed the password reset question (remember Wasilla High ?)
you accessed your email account from an unsafe public terminal
you accessed your email account from a safe personal computer, but did not use SSL

Derived from this are a few steps you can take to make things harder for snoops:

Pick a good long password. And do change it every now and then. I am certainly no fan of change your password every xx days rules, but for online email, changing it on occasion actually makes good sense -- it is your only chance to lose any stalkers you might have picked up over time. Your ex, your dorm roomie, etc, might know your password, and can passively snoop your inbox without you ever noticing. Only changing the password shakes them off.
Actually go through the I forgot my password routine once. Just pretend that you don't remember the password. And then watch carefully how hard (or not) it actually is to regain access. There are still mail providers out there who require you to have a 10-character password, but at the same time force you to use The color of your first car as a password reset question. Having a password reset option is good (heck, I also forget passwords if the vacation is good and long :), but the reset option should be as hard to guess or fake as the original sign-on. If you got the choice, pick a provider that allows you to write your own question/answer pair and that includes some sort of out of band notification like SMS.
For the unsafe public terminal, well, don't log into your email there. Within a couple months, all of us will anyway carry web enabled mobile phones, and those shady airport and hotel PCs will hopefully then follow the internet cafe into merciful obscurity.
If you are already using a mobile phone or *pad or *book for email access on the go, make sure that your email client is set to use SSL/TLS. HTTP, IMAP and POP3 should all be avoided if they are not paired with SSL/TLS for encryption (HTTPS, for example). Remember, WiFi signals can be intercepted and recorded by everyone in range. Without encryption, eavesdroppers get to see your login credentials and all the email that you download and read.



EMail Handling
Reply to all was not invented for people who click faster than they think. On occasion, these embarrassing broadcasts of a person's naivet make everyone at the office cringe. Thus, if you are using reply to all, check carefully who is on the recipient and cc: lists. And do everyone a favor and never reprimand a hapless reply-to-all person by also replying to all with an admonishment.
Unsubscribing also has its pitfalls. If you try to unsubscribe from some list that you never actually subscribed to, chances are that you just confirmed to some spammer that you actually read their email. Only use unsubscribe on things that you vaguely remember ever having signed up to, and use mark as spam for all the rest.
Last but not least, EMail is a poor medium to convey irony or sarcasm. As useful as email is, the more contentious a discussion gets, or the more back-and-forth replies pile onto replies, the better off you likely are by picking up the phone, and having an old-fashioned talk.
If you have other tips on how to keep email safe and secure, please comment below or use the contact form. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Public Safety Canada released their version of a Cyber Security Strategy today. My first impression is that the document is a good start, albeit a bit late. It does demonstrate that the government is trying to show leadership in this area, which is a good thing. What the strategy document lacks is the pragmatic plan and specific steps required to implement it. The document will also serve as the report card for Canadians to evaluate the progress of the various departments that currently handle aspects of cyber security within the levels of government. Particularly Public Safety. In twelve months from now all of the items in their strategy should be reality. Each of the three primary areas the strategy covers are equally important in the long term, and require a significant investment in time, funding, cooperation, partnerships, and leadership. Government systems, applications, and networks must be secured. New better partnerships must be created with all stakeholders in the private and public sectors. The public have the right to expect both guidance and assistance in securing their home computers and identities.



I believe that this truly underscores the need for a national CIRT/CERT in Canada, an organization that can help Canada meet these requirements and follow the steps as laid out in the strategy, as unfortunately it does not currently exist.



It is a step in the right direction, however many more are required.



The strategy is outlined here:

http://www.publicsafety.gc.ca/prg/em/cbr/ccss-scc-eng.aspx
Tell us what you think, or comment below!
Cheers,

Adrien de Beaupr

Handler, SANS Internet Storm Center

Senior IT Security Consultant, EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Well the bad news is the H root servers were not available for over 18 hours. The good news is that practically nobody noticed. As it turns out a fiber cut and poor weather took out access to this cluster of root DNS servers. https://lists.dns-oarc.net/pipermail/dns-operations/2010-October/006142.html shows the explanation for the outage. While the outage had no direct impact on Internet users, it does point out the necessity of proper design for redundancy. Graph of the H availability:

Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
On day 3 of Cyber Security Awareness Month 2010 the topic is Recognizing phishing and online scams. Which is an interesting discussion. For example, would phishers still bother if no one clicked and freely entered their credit card and personal information? Would 419 scammers bother if no one responded to their messages? Since there is a profit motive behind the miscreants actions if there were a diminishing return, or the actual possibility or prosecution, would we continue to see so many of their emails and web sites? Philosophical questions aside, in oder to reduce the harm of scammer and phishers the people receiving the bait need to be able to recognize the messages as such and not respond or click.
Don't click or respond to the following:

If it sounds too good to be true, it is.
If the message does not appear authentic, it probably isn't.
Do the content of the message appear in search engine results?
If you hover your mouse over the link does your browser or security software silently scream at you?
Seeing silly typos, formatting, or grammatical errors a professional would not make.
If the message asks you to send your information to them, rather than the other way around.
If you don't have an account with the company supposedly sending the email!

Here are some useful links:

http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx
http://www.us-cert.gov/reading_room/emailscams_0905.pdf
http://www.gongol.com/howto/recognizephishing/
http://www.surfnetkids.com/safety/how_to_recognize_phishing-21760.htm

This is just a start, please send in your suggestions on ways to avoid falling for scammers by recognizing the signs.
Update: Leigh sent in the following quiz to assist in detecting phishing/scams:
http://www.ballarat.edu.au/aasp/is/ict/security/security_challenge.shtml
Cheers,

Adrien de Beaupr

EWA-Canada.com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Internet Storm Center Infocon Status