Tom Olzak

Posts Tagged ‘malware’

CryptoWall continues to spread

In Computers and Internet, Content Filtering, Cybercrime, Data Security, Ransomware on July 3, 2015 at 04:00

CryptoWall, an instance of ransomware, is a growing threat.  Attackers use it to hold an organization’s resources hostage until they get something of value.  This costs Americans millions… and it’s getting worse (FBI, 2015).

Ransomware, like CryptoWall and Cryptolocker, encrypts media on the infected machine and all media attached to the machine.  It then demands hundreds or thousands of dollars before the attackers agree to decrypt the hostage data.

Defense against this attack method is getting harder, as attackers find new ways to deploy CryptoWall and Cryptolocker.  Advanced attack techniques often leverage human vulnerabilities to bypass security controls.

The FBI provides a long list of defensive measures.  However, businesses should begin by implementing a short list of controls that protect against all types of advanced malware, not just ransomware:  Web filtering, spam filtering, email malware filtering, and (likely most important) deny users local administrator access.  This is in addition to best practices that should already be in place, including network segmentation with an application server abstraction layer (end-user device-to-application servers-to-database servers) to help isolate critical data from infected end-user devices.

Controls: The absolute minimum

In Application Security, Cybercrime, Data Security, Log Management, Network Security, Physical Security, Risk Management, Security Management on February 3, 2013 at 17:07

CSIS Logo (SANS)Lulled into false security by years of being told anti-malware is the best way to protect networks and devices, many network administrators  leave their networks wide open.  Using only anti-malware software a firewall, and an IPS leaves gaping holes in the security controls framework.  Attackers with limited experience can locate and exploit attack vectors with little regard for these venerable controls.  While firewalls and IPS devices help, they were never intended to provide a complete prevention/detection/response solution.

SANS provides an up-to-date list of 20 critical security controls (now at version 4.0).  The downloadable documentation provides guidance on in depth, layered integration of controls necessary to fill gaps left by traditional approaches to minimal security.

Lion eats a Trojan…

In apple, Application Security, Computers and Internet, OS X Lion, Safari on September 28, 2011 at 14:21

If you’re a Mac user, you’ve probably grown complacent about security from time to time.  However, criminals are starting to go after you… me included.  In a recent CSO online article, George Hulme writes about two OS X Trojans that made the news this week.  In addition, he writes about a vulnerability Mac users who still aren’t using Firefox have in their Safari browsing experience:

“It’s those users that keep their standard system settings that are at the greatest risk, Intego says. Because the Safari browser is set to consider installer packages as safe (those files with a .phg or .mpky extension) it will automatically launch after download if their settings aren’t changed from the default. Intego advises users remove those settings.”

Following graphic shows the Safari setting in Snow Leopard.

Uncheck this box!

I guess it’s time for less Windows-bashing and a little more attention to Mac security…

Android security…?

In Application Security, Certificates, Cybercrime, Data Security, Hacking, malware, Mobile Device Security, security, Security Management on March 6, 2011 at 20:09

A recent blog, Frequency X Blog, examines the latest Android malware, DroidDream.  The hole that allowed this is as big as they get.

A Different Kind of Whitelist?

In Business Continuity, Cybercrime, Email, Phishing, Risk Management, Spam on September 30, 2010 at 13:45

During my years as a security director, one of the weekly challenges I faced was how to tell my peers in engineering that we have more items to add to the growing list of blocked domains or IP addresses.  This was not only a management headache; it also occasionally caused a backup of the email queue feeding our perimeter Barracuda devices. If only there was a better way…

Well, Spamhaus claims it has found the answer.  Using a tightly controlled whitelist–membership is possible upon invitation by another member–Spamhaus says it provides comprehensive email filtering, free and without all the management issues faced by many enterprises.

“Unlike traditional whitelists, the Spamhaus Whitelist is not a service to help bulk mail senders improve delivery rates. You can not whitelist an IP address or domain that is used for sending marketing or soliciting bulk email, or used for sending any email on behalf of third parties. This rule therefore automatically excludes makes not eligible for whitelisting Email Service Providers, ISP customer mail relays and mail servers used by third-parties, and all bulk mailing list servers and services,” the company said in its explanation of the service.

(Source: Spamhaus Debuts New Whitelist Service | threatpost.)

Setup is easy and well documented at the Spamhaus site. At a high level,

The Spamhaus Whitelist is actually made up of two whitelists: an IP address whitelist called the ‘SWL’ and a domain whitelist called the ‘DWL’. These are published as swl.spamhaus.org and dwl.spamhaus.org respectively.

The SWL is both an IPv4 and IPv6 whitelist. It responds to queries of either IPv4 or IPv6 addresses. (Note: IPv6 handling is not yet active. Spamhaus estimates IPv6 service starting in 2011)

The DWL is a VBR (vouch-by-reference) domain whitelist designed to automate DKIM certification.

(Source: Spamhaus.org, 2010)

So what happens if a sender abuses their membership in the whitelist?  Since the new service is in beta, we really don’t have any examples of deviant behavior.  However,

Spamhaus is reserving the right to revoke whitelist status for any email etiquette transgressions, such as the distribution of bulk mail of any type. The whitelist will be maintained in both IP addresses and domain name forms as two separate, but matched, lists. Controls mean no domain or IP address that is on the Spamhaus Project blocklist can ever be whitelisted.

(Source: Spamhaus debuts whitelist service, The Register, 28 September 2010)

Note that this service uses DKIM, something Microsoft Exchange DOES NOT support.  There are third-party solutions (example) that make Exchange compatible.  But if you use Exchange, I recommend adding a front end solution, like Barracuda Spam Firewall, between the Internet and your mail servers.  Other DKIM-compatible solutions are listed at DKIM.org.

%d bloggers like this: