Tough Love, End Users

Next time you get infected, take a few minutes and learn from the experience.

You get infected and luckily your antivirus detects it and tells you as much in a nifty little pop up window. (In a majority of cases, that’s about the only way you’ll know you got infected or came in contact with malware.) What do you do? Do you thank your antivirus software and carry on? Do you wonder whether it caught everything? Or if it will come back? Do you get curious about how or why? Do you care?

I’ll answer the last question. You better. Your computer holds keys to your financial data, whether you’ve ever logged on to an online banking or financial site from it. It contains information about you that can be used fraudulently and to gain more information about you. It can also reveal information about your friends, family and co-workers, thanks to the boom in social networking. Carelessness puts not only you, but everyone you interact with online at risk.

If your computer gets 0wned (fully controlled by an attacker) the attacker has more control over your computer than you do, because they know how to use it in ways you likely haven’t imagined. For example, at work, you might not have access to personally identifiable information (PII), but your actions can lead to a compromised host and an internal launching point for deeper attacks that will. The PII could be ex-filtrated without ever coming in contact with your computer. Scary, eh? Potentially very damaging to all involved too.

What can you do? Endpoint security software (firewalls, antivirus and IPS) can do a moderately effective job of protecting your host. In most cases, the fault of an infection isn’t that the security vendors “missed” it. They catch a lot and work hard at getting better and stopping more. Harder than you do I bet. Eh? Computers have software and hardware that can help detect and prevent malicious attacks. What do you use?

From the keyboard to the chair is your responsibility. Be responsible! Educate yourself. Learn to defend yourself and identify attacks on you. As long as you aren’t willing to put in some effort to learn about how you can be attacked, how you can identify those attacks, and how you can avoid them in the future, you are the biggest unpatchable vulnerability affecting your computer.

If you still don’t care, then thanks for stopping by and may your fortunes be secure. If you do care, then lets talk a little about attacks and defenses.

You’ve likely heard about phishing emails and spam containing malicious attachments or links. Some of these are very sophisticated and seem very trustworthy. Trust nothing when computing. Any email, attachment, or link you encounter via email or social networking should be considered untrustworthy until you’ve ascertained the source is valid and the source intended the information for you. Think about whether the person who posted that link on your Facebook profile is the type who would have validated the information. If there is even the slightest doubt about whether it’s secure, consider it insecure until you have verbally spoken with the sender and taken measures to identify if the link or file is malicious. (Virustotal allows you to submit potentially malicious files for scanning by more than 35 a/v vendors and gives you a good idea if the file is good or bad. They also have a URL scanner if you’re unsure about a link. Neither of these are 100% assurances however, so you start to see how this is about reducing risk, not eliminating it.)

Sometimes even the wisest are fooled if the scam is good enough or they are caught with their guard down. And sometimes the completely innocent are victimized. Drive by downloads take advantage of browsing-related vulnerabilities to exploit a computer without the user doing anything other than browsing to the wrong site at the wrong time. Malvertisements use social engineering to entice users to run a program, such as the Fake A/V attacks. And those of us who like Macs need to get over the false notion that Mac OS X is more secure. It’s binary code written by humans and potentially vulnerable to being exploited by humans. Mac’s are gaining popularity and with that will come attention and attacks.

A familiarity with what your programs are supposed to look like can help you identify anomalous behavior. Know what your antivirus alerts look like so when you see a fake one it’s obvious you’re being attacked. Patching is another solid defense. At the bare minimum always patch operating systems, browsers, and the Adobe products Flash, Shockwave, Reader and Acrobat as soon as patches become available…on all platforms.

I highly recommend Secunia PSI for Windows users. It’s free for home use and will monitor your computer for updates specific to your hardware and the software installed. It provides assistance with remediation as well, providing links to patches or details on how to close the gaps.

I bet you’d be hard pressed to find anyone who has used the Internet for more than a year who hasn’t run into something malicious, whether they are aware of it or not. People cling to guns for self-defense from an enemy they’ll likely never encounter. Yet they’ll pay no attention to a virus detection or the fact that their computer “might” be infected. I realize education and awareness aren’t as exciting as guns, but they’ll protect you from a whole lot more than a gun probably ever will.

Educate yourself.

You, Your Company, and Some Asshats in Eastern Europe

We in security see slivers of this just about everyday. The Washington Post has an article titled Eastern European Cyber Criminals Target US Businesses. It’s the same old (spear) phishing scheme…with a little trojan or browser based exploit thrown in. As easy as it was to infect and defraud residential users, it’s apparently just as easy and more profitable if they target the place where you work. It’s really a twofer as the untold story here could lie in the status of the Comptroller or Treasurer’s personal finances when all was said and done.

Fraud via computer technology is a big money game. If you have money and use a computer consider yourself a target. Yes, it is that simple. From online shopping and online banking to social networking, everything you do online sprinkles little pieces of you and your money all over the web. Sure they use trojans/rootkits to gather the intelligence, but they have to get them on the machines in the first place and to do that you need to go phishing.

So please, think before you do anything online. They are after your money as much as your employer’s. Don’t open attachments you aren’t expecting….period. Confirm with the person purportedly sending it by phone or in person before opening it. Likewise, don’t click on links in e-mail. If you don’t know how to tell the real destination of a link in an e-mail, then don’t risk the click. Before logging into to pay bills ask yourself if your computer has had any issues lately? Blue screens? Errors or popups? If you’re not 100% certain your computer is clean, get help. The following won’t stop everything, but they’ll definitely help and they’re free.

AVG Free Edition

Avira Antivir Free

F-Secure Online Scanner

Windows Live OneCare Safety Scanner (They rate a lot better than anyone is giving them credit for in detections of current threats.)

TrendMicro HouseCall

Be smart, because I promise you there are people much smarter than you who want your money…and you and your actions are the only thing standing in their way.


Depth in defense is always a priority in securing an environment. For the novice, the notion is that the more layers of defense you have in place the more likely you’ll be able to detect the bad guys and their malicious code. The typical analogy is that of a fortified castle. From the outside-in, a deep and wide moat surrounds the outer wall with a drawbridge and/or portcullis to control and limit access. The inner walls provide an additional layer of protection for the castle, with additional barriers in place around the keep. And lets not forget the men and women who strategize and defend their home. Firewalls, intrusion prevention devices, web gateways, and endpoint protection act as similar layers in the depth in defense model. It’s a good model and if designed, managed and monitored properly it will serve as a well fortified defense system.

What concerns me is less the depth model and more how it’s constructed. I saw a prediction a year or so ago from an executive at one of the big security vendors who predicted that within 5 years there would be roughly 5 vendors who owned just about every security based solution available. The trend continues in that direction. From a marketing standpoint, great for them. They can wrap them all up nicely in a bundle and say they are the single source solution to all your security problems. But is that great for us, the end user?

Sure the solutions they offer for the varying layers differ. A web security gateway isn’t an endpoint or antivirus client. But if the same company provides you that web gateway and the antivirus, do you gain anything running their antivirus on the web gateway? Mixing vendors, bringing in different ways of performing a similar function, is critical if you want to provide the best defense. Antivirus solutions vary greatly in their methodology and detection capabilities. They almost all use some level of signature based detection, which is inherently weak in an age of malicious code that can polymorph or obfuscate by the second. The more layers of various antivirus solutions you can place between the attackers and your hosts the more likely you’ll be able to stop it.

Revisiting the castle analogy, those outer walls by the moat seem like a good place for archers. The drawbridge/portcullis probably would benefit more from foot soldiers and hot oil vats above the entryway. Cavalry to stampede through the narrow lanes as attackers draw near to the inner keep, and your best and finest swordsman and archers defending the castle proper.

Depth is critical, but depth plus width is where you’ll truly improve your chances of defense. You may have to suffer with different front-end management systems for the varying solutions but, honestly, most times you’re going to be better off isolating the administration of the varying layers as opposed to dealing with an all-in-one solution that in reality is a jumbled mess to manage. The majority of monitoring concerns can be handled with some basic alerting, event correlation or security information management.

So next time a vendor tells you they have the answer to all your security needs, think width-in-defense before you sign up for their suite of solutions.