InfoSec News

By now you've sent off your abuse reports (http://isc.sans.edu/diary.html?storyid=9664) and have tracked the responses in your spreadsheet. I'd wager that so far you haven't got great results in that column yet. You've likely received bounces that the abuse contact doesn't exist, or that the mailbox is full. Others have given you nothing but silence. What next?
It's now time to go up a level. With a little bit of detective work, say a traceroute or a bit of DNS probing you can identify the organization that supplies the IP addresses belonging to the infected system. There is a nice guide on how to go about that here: http://www.rickconner.net/spamweb/tools-upstream.html Add a new couple of columns to your tracking spreadsheet, identify the upstream provider, the contact, and when you send your report.
You will want to update your abuse report to take into consideration the needs of the up-stream contact. You have be even nicer, and provide the initial abuse report as well as your justification for escalating to the up-stream (e.g. Abuse contact does not exist, or mailbox full, no response after a week, etc.)
Why didn't we report to all levels of the up-stream contact in the initial report? My simple answer is crowd psychology. If you send out your report to many levels of abuse contacts, and copy SANS, and law-enforcement, I can gurantee you that nearly all of your recipients are going to ignore your report, thinking that it's someone else's problem to handle.
It's a process, it will take some time. Don't give up because you got an automated response.
-KL (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Day 10 begins week two of Cyber Security Awareness Month. This week's topics will focus on security issues affecting children and school.
Today we solicit input on how to provide a safe browsing experience for pre-teens.
Risks specific to pre-teens that we want to address:

Installation of unwanted applications: adware, spyware, malware, either though social engineering or drive-by exploitation.
Commercial/Marketing tracking: it has been reported that children are targeted more than adults (http://online.wsj.com/article/SB10001424052748703904304575497903523187146.html)
Exposure to unwanted ideas: what those particular ideas are, I'm leaving up to the parents.
Communication with the wrong people: I'm also leaving the definition of wrong people up to the parents.

Of course, looking over that list they're also the same risks you want to protect your sales staff from as well.



In constructing our strategy we could consult these earlier CSAM entries:

Securing the Family Network (Day 2) http://isc.sans.edu/diary.html?storyid=9649
Sites you should stay away from (Day 5) http://isc.sans.edu/diary.html?storyid=9673

An initial strategy approach may look like:

Use special unprivileged account: junior doesn't need root access.
White-list: this is one of the few cases where white-listing is tenable.
Lock-down the browser: use tools such as noscript, noflash, adblock, etc. Coupled with aggressive white-listing, the admin/parent can pre-configure each site as they're added to the white-list.
Secondary filtering: web-proxy filter, openDNS, use layered protection for the whole family.
Only allow computers in in public-spaces: very young children will always need an adult, older pre-teens should have them close by to field questions and help with decisions-- which you can post humorous tales about later on facebook.

Again, that sounds a lot like a decent small-business/corporate-environment approach. Not everyone will have the tools or time to build a comprehensive system for their home network. How are parents handling this out in the field? (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Internet Storm Center Infocon Status