Digital Choke Daynotes

 Sunday, November 14, 2004       mail    link   the story

THe folks at Mailfrontier have come up with a new "Phishing" test. There are 10 xamples of messages. Your task is to decide if each message is legitimate or an attempt to get identity / financial information for fraudulent purposes.

The test is here at http://survey.mailfrontier.com/survey/quiztest.html

I am pleased to report that I got a perfect score. But there are some clever ones in there. Check it out, and report back on your results.

I did get the bulbs (flower, not light) bulbs planted on Saturday. Also got the floors cleaned. But I spent most of my time yesterday and today on the computer, working on a few Crystal Reports and other things related to a membership list for church. It was a quiet Sunday: the usual Church meetings, then a quiet evening at home. Pam was a bit tired from her trip home from Idaho yesterday, so the kids/grandkids didn't come over. There is some colds running around their house, and we didn't want to share. We'll meet up with them later this week.

 Monday, November 15, 2004       mail    link   the story

Beware the "Ides of November". Not sure why, but what the heck.

Today's "Handler's Diary" for the Internet Storm Center (here) has some other security-related links that might be interesting.

Now you'll have to excuse the short post. Pam went to the grocery store, and came back with some Ben & Jerry's "Cherry Garcia" ice cream.

Ya gotta have a few priorities.

 Tuesday, November 16, 2004       mail    link   the story

I started out the day with my "Information Security" presentation. It's a user education thing, talking about policies, protection of data, dealing with spam, configuring your computer, etc. All of the stuff that's been discussed here. It was well-received; it looks like I'll get to teach a class at our internal "university" classroom training. At least, the class will be in the spring catalog; we'll see if anyone signs up.

Late this afternoon, I got a frantic message about a work web site I designed. It's a "Cold Fusion" site, with access to a database of items. It's not very fancy, but it works. There are simple CSS style commands, some tables, and some forms with 'submit' buttons. No javascript or other fancy things.

So we got a message from a person that they were getting "400" errors ("HTTP/1.1 400 Bad Request") when they clicked on the form button. A quick test using IE as the browser worked just fine. And a test with "NetCaptor", which uses the IE engine, also worked fine. So we figured the person was using an 'alternative' browser. (Heard of any in the news lately?)

I downloaded a fresh copy of Firefox (actually, my first copy). Got it installed; used all the default settings. Then I went to that page, clicked on the "Submit" button, and got the same "400" error. WTH?!

The problem occurs on any pages on that site that use a 'form' with a 'submit' button. Hmmm. We use a 'form' button here on our mail form. A quick test of that form worked just fine.

Now, I built both sites. And the only difference is that the work site is running on a Win2K Server with Cold Fusion, while this place is on a Linux site. But the page code generated by Cold Fusion is just plain HTML. Not sure where the problem is; by this time it was time to go home. So I'll do a bit of testing tomorrow.

While using Firefox, I noticed a few other differences in how many pages are rendered by Firefox vs IE6. For instance, on this place, we use the Verdana font at 14pt. In Firefox, the text is visually smaller. Line spacing is different. Bullleted lines are also smaller. Table borders are sometimes missing.

If you have installed Firefox, take a peek at your favorite sites, comparing them with how they look in IE6. You might find it interesting. Let me know what you find out. This will take some more poking around.

And, although I've been using IE6 for a long time on my Windows XP system, I haven't had any serious problems with viruses, worms, phishing, URL mis-direction, etc. All I do is practice "safe computing": operating system updates, virus updates, don't open attachments, never unsubscribe, have a pop-up blocker (Google toolbar), have a hardware and software firewall, wireless encryption, strong passwords.

All the things in my "Simple Steps" guide.

And I lock my door and take my keys, stay out of dark areas, and call my mother.

 Wednesday, November 17, 2004       mail    link   the story

John Dominik (one of my regular web stops) was asking for advice on managing his network at is new job. So, I came up with these suggestions, which you may also find interesting.

1. Set up a Microsoft Software Update Server (it's free) to get MS OS updates out to servers and clients. Set the servers for automatic download/manual install, and workstations for automatic download/unattended install. Those settings can be done with a registry push to the computers. Depending on the version of OS, you may need to do a manual Windows update to get them to the level for the "SUS" to work. Set the workstations to check for updates daily. SUS is not hard to figure out, and will offload the OS update thing.

2. Get some sort of AV on the workstations. At work, we use McAFee, so that's all I know. Settings on the workstations should be locked with a password so the users can't disable/change things. Set for daily checking of updates. That will take care of AV on the workstations. On servers, have them check for updates hourly.

3. For email, check into some sort of mail filtering software. One important feature would be blocking of all incoming executables, and virus blocking. Both will help a lot preventing virus attacks. There are some free/open source mail filtering. Expect to spend a bunch of time tweaking the rules to reduce false positives. Blocking all executables will protect from 'zero-day' attacks.

4. If web browsing is a problem there, web blocking may be needed. You can justify that by installing a 30-day eval of SurfControl (we use it) in 'stealth' mode to watch usage patterns. When we did that (with exec approval), we found 30-35% of bandwidth was streaming audio. That was putting us over our 'pipe' limit, and our ISP wanted to bump us up to a higher (more $) bandwidth allocation. So we blocked that, along with objectionable stuff (reduce sex harassment lawsuit possibilities, for instance).

5. You should have acceptable use policies. Samples are at www.sans.org. They protect you, the company, and employees against possible legal problems. As part of that, users should sign an document acknowledging the policies. Also good protection.

6. For adware/spyware, you might try using Ad-Aware or Spybot Search & Destroy. Both can be installed on workstations to run in the background. Adware/spyware problems are going to increase, and they can cause big user-support problems that take a lot of time to fix.

7. MS-Office updates are important, but not automatable yet. Although the upcoming version of the Software Update Server will do Office updates. In the meantime, I'd recommend updating manually. Several image-based problem/attacks are out there.

8. Watch out for ad-hoc wireless networks. Great attack vector into your network. Don't allow them.

9. Consider some sort of 'security awareness' program for employees. Get them to think about protecting company information (paper and electronic). For those that have laptops, buy them a cable lock. Consider having the data folders encrypted; power on passwords are good. The protection of the data is more important than protecting the hardware....you can buy a new laptop, but replacing the data is a b***h. Get a good shredder for the offices, perhaps one for everyone. Besides, shredder confetti is fun.

10. Plan for replacement of equipment. We (at work) figure servers have a 'life' of 3 years. After that, parts/service is too expensive. Workstations 3-4 years. Laptops 2-3 years. YMMV. But it's good to plan for that.

11. You should be trying to move server operating systems to Windows 2003 (for your Windows servers). Much more secure by default.

12. Pay attention to log files on servers. Set up auditing. It's not fun, nor easy, but you it will help you protect against attacks.

13. Strong password policies, especially on servers. Limit admin access to servers to those that know what they are doing. Set up workstations so they are not local admin equivalent -- that reduces threats/problems from attacks. Role-based administration is good.

14. For workstations, consider setting up a restore 'ghost' image on a hidden partition of the drive. If the user has a problem that is too difficult to fix, just restore the original configuration. Educate users to store docs on servers, which get backed up. Some problems are too much trouble to fix; a restore area on each computer will save a lot of time in the long run. A standard configuration (software, settings) will also reduce support time.

15. If users are spread out, consider a remote control type of program. I really like Funk Software's "Proxy" program (www.funk.com). When I was doing IT support for a department, we put it on all workstations. When a user had a problem, we could quickly connect and 'see' their problem, and fix it without leaving our desk (I'm sort of lazy...). Since our users were in several buildings, and we had limited help, it saved a bunch of time....and the users loved getting things fixed fast. We were able to use the support techs on the harder problems that did require a site visit. With the remote control, we could fix user problems pretty fast, even the "PBDAC" problems.

16. I also use the Proxy program on servers. Since the servers are in a separate area, remote access/control saves a lot of time. And since we have VPN, I can 'fix' and monitor the servers from home.

17. Consider some sort of tech support call tracking system. You can spot patterns of problems, and also use the data to get more bodies or hardware/software.

That will get you started with a few projects for your spare time <grin>. We've done most of these things at the office; I've done some of them (standard workstations, Ghost images) when I was IT support for a department. Takes a bit of time to set up, but saves time down the road.

 Thursday, November 18, 2004       mail    link   the story

The Washington Post has an article about phishing and other scams. It is interesting, and those types of scams are getting more sophisticated. I found the Post's link on Dr. Jerry Pournelle's site. He (along with many of you, I'd bet) are getting similar phishing emails. He wondered how to report phishing attempts.

There are a few places you can report phishing emails.

One is the "Anti-Phishing Working Group", at http://anti-phishing.org/index.html . You can email your phishing mail to reportphishing@antiphishing.org . Make that you send the whole mail; you can't just "forward". Create a new message, then drag the phishing message into the "attach" area of the new message. This makes sure that they get all the 'envelope' information.

That site also contains an 'archive' of phishing mails, including what the mail looks like, and the pages that you'll get if you get 'hooked'. Those pages are great as an educational tool. I use it in my presentations to users in staff meetings, showing the pages where you can type in all your personal information.

The key point is the be very careful about entering personal and financial information. If you think you need to enter information for a bank site, don't click on a link in an email. Enter the address manually.

And before you do that, step back for a moment. Think about why a bank would need your credit card number, or your PIN number. Wouldn't they already know that?

Identity theft is big business. And a big pain to fix; it can take months. Readers would be well-advised to check their bank/credit card activity regularly..at least once a week.

There are some good resources about privacy and identity theft: http://www.consumer.gov/idtheft/ (US Govt), http://www.privacy.ca.gov (California), and others places (found via any search engine).

At the office, we get a lot of those phishing emails. Most use the 'on mouseover' tag to hide the actual URL link. So I put a rule in our mail filter to throw away any message with that tag.

We've discussed this phishing issue before, in our report on Phishing for Fun & Profit. There are some samples of how it works. Whether our samples work on your system depends on whether you have installed the appropriate patches.