Many people would tell you this when the subject of protecting your home system comes up. Is this true? "I don't bank online", "I don't shop online"; people say all of these things in a defense of why they believe they are safe. Is that true? Not at all! Just because you may not have anything they want along those lines, you have something very valuable! Your PC sitting idle all night, normally on a broadband connection. This is most likely more valuable then your personal eBay account or that credit card that you have, which is probably maxed out anyway :).
Your idle CPU cycles are great for lots of things. Sending SPAM, herding other bots in a botnet used for many purposes, housing stolen software or music and the list goes on and on. I stumbled on this article from the Washington Post via Slashdot:
The Scrap Value of Hacked PCs
If anyone says no one would want their PC you can tell them the stuff you read here or better yet, give them the link to read it for themselves. The article is very brief and doesn't get technical at all really but it gets to the point. No PC is safe!
How can you protect your machine?
1. Get a good Malware tool for protection and removal.
I recommend Malwarebytes. Download the free trial version. The trial is fully functional; you just do not get real time protection. What that means is that it will remove Virus/Spyware/Adware etc, but it doesn't run in the background to protect you from getting it in the first place. Thus, you should think of getting one that runs real time as well. Using multiple vendors is not a bad idea. The truth is that sometimes one may come out with a new definition quicker than another.
2. Get and keep your Anti Virus applications up to date.
There are many free antivirus applications out there. I would not recommend ClamAV here because at this time there is no real time protection. It is a good AV solution for network appliances that can use it in real time, not yet for the home user in my opinion. I have a friend in Canada that is working on a real time engine for it for his Masters project. He anticipates having it ready in the next year or two. I use AVG and have come to like it. I would recommend paying for a program though. The reason is because most of these free ones rely on definitions. The problem is that there are encoding techniques that will bypass 90% of antivirus programs today. What this means is that you can be infected with the oldest virus known to vendors again because it appears different to your application. Thus you should purchase an anti virus program that includes what is called IPS (Intrusion Prevention System). These types of antivirus programs work on unusual system functions rather than only definitions. I also recommend Symantec. Many people will tell you they don't like it and we are all entitled to our own opinions. I have found it to be one of the better ones out there in my opinion. Others would tell you McAfee. I have not had good luck with McAfee and thus don't recommend it but your mileage may vary.
3. Protect from the network
For those that might be a little more technically inclined I also recommend Untangle. Look for their option called the "Re-router" technology. This is an excellent network appliance that provides high level protection. The Re-Router option they have is really nice as you just need to install it on one of your Windows PC's that is connected via Ethernet cable to your switch/router. This one system then provides protection for every computer in your house. It is NOT a replacement for your Antivirus/IPS system on the host, only in addition to. I assist in the development of new features for this device so I may be a bit biased :), but it is a very nice set of applications.
4. Keep your applications and operating systems up to date.
Run your Windows, Mac or Linux updates as much as possible. If you have an automatic method, use that. Don't forget your third party applications as well. If you read my post from the other day, this can be dangerous so use caution. Read my post from a few days ago to learn what you can do to keep this from backfiring on you. But by all means do the updates! Attacks come from vulnerabilities in applications probably more than any other method. Keeping up to date on this stuff makes it harder for them to gain control in the first place.
5. Don't underestimate the power of shutting down your computer when you are not using it. Maybe even shut off your router or modem. If you don't need it on, then don't have it on. This is especially true if you are going on vacation or something.
If anyone has any other Security/AV questions or needs assistance in any of these applications feel free to email me. I offer general security consulting for free and do not mind in helping out. Yes that goes for businesses as well as home users!
This is by no means an exhaustive list of things you can do. It is just some examples to get you started. I love security and do security for the fact that I believe computers, networks and the Internet should be and remain a good and fun tool for us all. I hate that we have to be so cautious and in some cases don't use it at all because of the threats out there.
Friday, May 29, 2009
Tuesday, May 19, 2009
When is there an incident?
I just wanted to post this as a question to those that do read this blog, all 2 of you :P. I had a discussion with a security admin the other day. They wanted me to take a look at their incident handling document. This document outlined the steps that they would take in the case of an incident. Now don't get me wrong, the document was spot on I believe. It was well written and you can tell a proper balance of technical and informational data was found. What this did bring up in my mind is; When has an incident, specifically a compromise, happened that a process like this needs to be put into action?
I realize there is a balance that needs to happen because if we did this same routine for every system infected with a virus, management would probably start to not trust things are going well (little boy crying wolf). What about a bot though? If you are not familiar with bots, you can read previous posts I have put on this blog or just Google the term and you should run into a ton of information. Long story short is that bots are used to control systems. The problem that I see is that a lot of companies downplay the significance of a bot. Just because at this time that bot is only popping up ads on your PC doesn't mean the attacker has any less than full control of your system. In my mind, a party outside of your network, often unknown to you, has full control of one of your systems. That sounds like a compromise or incident to me. It only takes one update from the bot's command and control center to turn it into something much more horrifying.
Now there are controls in place like IDS and IPS systems which can often block and alert of the existence of such a software. This is a good thing. The question is though, should this be treated like an incident of compromise or should it be quietly removed and cleaned up because it was caught so early? I guess a third option would be to have a non management alerted incident handling process in place as well. Not that we want to cover these tracks, but for the security admin to keep track of but possibly release at some quarterly meeting saying "we had x many major incidents and y many minor incidents". It's an interesting thought to find that balance. I would love to hear some opinions.
I realize there is a balance that needs to happen because if we did this same routine for every system infected with a virus, management would probably start to not trust things are going well (little boy crying wolf). What about a bot though? If you are not familiar with bots, you can read previous posts I have put on this blog or just Google the term and you should run into a ton of information. Long story short is that bots are used to control systems. The problem that I see is that a lot of companies downplay the significance of a bot. Just because at this time that bot is only popping up ads on your PC doesn't mean the attacker has any less than full control of your system. In my mind, a party outside of your network, often unknown to you, has full control of one of your systems. That sounds like a compromise or incident to me. It only takes one update from the bot's command and control center to turn it into something much more horrifying.
Now there are controls in place like IDS and IPS systems which can often block and alert of the existence of such a software. This is a good thing. The question is though, should this be treated like an incident of compromise or should it be quietly removed and cleaned up because it was caught so early? I guess a third option would be to have a non management alerted incident handling process in place as well. Not that we want to cover these tracks, but for the security admin to keep track of but possibly release at some quarterly meeting saying "we had x many major incidents and y many minor incidents". It's an interesting thought to find that balance. I would love to hear some opinions.
Automatic Updates
So you are a good user that does their software updates right? Windows Automatic updates are turned on and going. How about those third party applications like Java, Winzip, iTunes or even notepad++? You have those automatically update right? What you are about to see will probably cause most of you to run over and shut those down now! It's quite scary. While the attack is relatively simple as far as technical aspects go, it seems to me that it can be a way to get into systems that you would think not possible otherwise due to the dilligence of some users to update their applications.
Evilgrade
Here is a demonstration from John Strand:
John Strand's Evilgrade demo
It looks, works and feels like metasploit. This just goes to show that we need to verify updates with checksums on the software company's website, if they offer one. If not, we should be testing them in a lab to see how the react first. This even goes for those of us distributing these via something like SCCM or Shavlik. Keep your eyes peeled for these types of things! People get very sneaky when you have a resource they want.
Evilgrade
Here is a demonstration from John Strand:
John Strand's Evilgrade demo
It looks, works and feels like metasploit. This just goes to show that we need to verify updates with checksums on the software company's website, if they offer one. If not, we should be testing them in a lab to see how the react first. This even goes for those of us distributing these via something like SCCM or Shavlik. Keep your eyes peeled for these types of things! People get very sneaky when you have a resource they want.
Monday, May 11, 2009
On the Ruby wagon
So I started taking a look at Ruby this past week. So far it seems pretty easy. It is an interesting method for a language. From what I am reading, one of the goals was to make it read like real sentences. Why did I bother to start looking at it? Mainly because Metasploit consists of a lot of Ruby. It appears that it is moving in this direction from Perl. There are some other applications that I have been looking into that use it as well. With all of the other stuff on my plate, I'm not sure how far I'm gonna get with it any time soon. Here is a good book that I am going through to learn it. The author has an interesting style which makes it easy to read:
Why's (poignant) guide to Ruby
Why's (poignant) guide to Ruby
Friday, May 8, 2009
Certification Roadmap
So after my post the other day, I started thinking long and hard about where I want to go professionally, specifically in regards to the vehicle of which certs to focus on to get there. After that process here is my plan (for those that care :))
I'm finally going to schedule my GPEN for the 18th of next month. My next goal is to obtain my CISSP by the end of the year. There is an exam time being held in Atlanta on December 19th. My goal will be to get it at that time. I will probably take some time off from then until the end of the year. Starting Jan. 1st of next year, I am going to focus on getting the GSEC certification. Following that, GCIA, then finally GCIH. I would like to have all of those three done by June of next year. The reason being is that I would like to have two gold papers done for two of those certifcations by the following summer so I can shoot for the GSE.
Why the timeline? Well you have a time limit of 6 months for each of your gold papers. This gives me the full 6 months even if I can finish them early. Why do the gold papers? The simple answer is that they are prerequisites for the GSE certification. For those of you that are not familiar with the GSE, the exam is only held once a year. At this time there are only 13 people with this certification. It is a rigorous process. After the prerequisites and acceptance to take the lab exam the process includes a multiple choice exam covering a wide variety of topics, much like the other GIAC exams. The second is a two day hands on lab. The lab consists of a rigorous battery of hands on exercises drawn from a large range of security domains. The second day consists of on Incident Response Scenario that requires the candidate to analyze data and report their results in a written incident report as well as an oral report.
In short it covers the following skillset:
I'm finally going to schedule my GPEN for the 18th of next month. My next goal is to obtain my CISSP by the end of the year. There is an exam time being held in Atlanta on December 19th. My goal will be to get it at that time. I will probably take some time off from then until the end of the year. Starting Jan. 1st of next year, I am going to focus on getting the GSEC certification. Following that, GCIA, then finally GCIH. I would like to have all of those three done by June of next year. The reason being is that I would like to have two gold papers done for two of those certifcations by the following summer so I can shoot for the GSE.
Why the timeline? Well you have a time limit of 6 months for each of your gold papers. This gives me the full 6 months even if I can finish them early. Why do the gold papers? The simple answer is that they are prerequisites for the GSE certification. For those of you that are not familiar with the GSE, the exam is only held once a year. At this time there are only 13 people with this certification. It is a rigorous process. After the prerequisites and acceptance to take the lab exam the process includes a multiple choice exam covering a wide variety of topics, much like the other GIAC exams. The second is a two day hands on lab. The lab consists of a rigorous battery of hands on exercises drawn from a large range of security domains. The second day consists of on Incident Response Scenario that requires the candidate to analyze data and report their results in a written incident report as well as an oral report.
In short it covers the following skillset:
- General security skills
- Incident handling skills
- Intrusion detection and analysis skills
Sunday, May 3, 2009
Summer Reading List
Some of you may know that I have been trying to compile a list of books to go through. I have attempted to create a sort of "book club" to get a bunch of people together to go through them, sharing what we all have learned. That didn't take off to well. I started with Hacking The Art Of Exploitation. This was an excellent book. I learned a lot! It is not for the faint of heart though. Get ready to dig into some serious C code. It definitely makes me want to go back and dust off what I remember of C and learn it again. At that time, I may reread the book in attempt to get even more out of it.
So whats next on my list? Well, I have two that are in a toss up. The first is Snort IDS and IPS toolkit by Jay Beale. Though I have also been thinking about the O'reilly book Beautiful Security.
Here is the remainder of my year's reading list:
Wireshark and Ethereal Network Protocol Analyzer Toolkit
Nessus Network Auditing
Metasploit Penetration Development Vulnerability Research
Shellcoders Handbook: Discovering Exploiting Security
Reversing: Secrets of Reverse Engineering
Rootkits: Subverting The Windows Kernel
Web Application Hackers Handbook: Discovering and Exploiting Security Flaws
Database Hackers Handbook: Defending Servers
This is in no specific order yet. On top of all of this I really need to knock out this GPEN certification and the CISSP by the end of the year. Following soon behind that is the renewal of the CCNA. I'm probably going to do the CCNA Security, suprise :). This will renew my CCNA and add the Security peice to the end.
As many of you know I have been working on an IT security degree as well. While I hate to quit things, I really have a hard time finding a school that can teach real security things that are helpful in the real world as well as relevant. I am looking at the University of Advancing Technology. I guess the security program here was started by the same guy that started the Defcon conferences. That has some merrit to it. The class outline looks to be relevant. So I may atted there to finish my degree.
To be quite honest I stumbled over an old favorite in my browser the other day of the infamous lab of Scott Morris. At the end of his resume page there is a link to how he came to be where he is: Scott's Story. After reading that story, I felt like I can just keep on doing what I do, how I do it and who needs school. If any of you reading this know me personally, that's not an unfamiliar statement. So maybe I won't go back. This is hard to tell at the moment. It would sure help me focus on getting my GPEN and CISSP out of the way rather than having to come home and do homework every night. Who know's. Time will tell.
So if any of you out there want to join in the reading list, leave a comment or email me.
So whats next on my list? Well, I have two that are in a toss up. The first is Snort IDS and IPS toolkit by Jay Beale. Though I have also been thinking about the O'reilly book Beautiful Security.
Here is the remainder of my year's reading list:
Wireshark and Ethereal Network Protocol Analyzer Toolkit
Nessus Network Auditing
Metasploit Penetration Development Vulnerability Research
Shellcoders Handbook: Discovering Exploiting Security
Reversing: Secrets of Reverse Engineering
Rootkits: Subverting The Windows Kernel
Web Application Hackers Handbook: Discovering and Exploiting Security Flaws
Database Hackers Handbook: Defending Servers
This is in no specific order yet. On top of all of this I really need to knock out this GPEN certification and the CISSP by the end of the year. Following soon behind that is the renewal of the CCNA. I'm probably going to do the CCNA Security, suprise :). This will renew my CCNA and add the Security peice to the end.
As many of you know I have been working on an IT security degree as well. While I hate to quit things, I really have a hard time finding a school that can teach real security things that are helpful in the real world as well as relevant. I am looking at the University of Advancing Technology. I guess the security program here was started by the same guy that started the Defcon conferences. That has some merrit to it. The class outline looks to be relevant. So I may atted there to finish my degree.
To be quite honest I stumbled over an old favorite in my browser the other day of the infamous lab of Scott Morris. At the end of his resume page there is a link to how he came to be where he is: Scott's Story. After reading that story, I felt like I can just keep on doing what I do, how I do it and who needs school. If any of you reading this know me personally, that's not an unfamiliar statement. So maybe I won't go back. This is hard to tell at the moment. It would sure help me focus on getting my GPEN and CISSP out of the way rather than having to come home and do homework every night. Who know's. Time will tell.
So if any of you out there want to join in the reading list, leave a comment or email me.
Subscribe to:
Posts (Atom)
