Sunday, April 19, 2009
Firefox and No Script
Firefox is my browser of choice, at least for home use. It is not something that our IS division chooses to support in our work environment. I started using it because it was the more secure choice for browsing. It has had its security issues like everything else, but the Mozilla people are quick to fix them and it is still less likely to be the point of attack. In addition, they have these things called Add-ons. The idea of the Add-on is to customize your browser experience so that it works the way you like it. Some of these Add-ons are quite powerful. My favorite is “No Script”. It allows you to choose the scripts that you want to run. It is also an eye opener to see how many scripts are running on these sites, and which ones don’t need to run for the sites to work. I generally allow only the site I go to, if I need it, and none of the “analytics” that are used to track our browsing behavior. Those are not needed for the functionality of the web page. It is still amazing to me how many scripts are being used and how they are becoming critical to our browser experience. By blocking these scripts, we are less likely to click on a random site and become infected with some random malware! It allows us to pick and choose which sites we trust to run these scripts. This is a pretty powerful tool!!
Friday, April 10, 2009
My Mac Friends
To my Mac friends: I love Macs. I want one! They say Mac folks are a “class of their own”. They say they don’t think they need to worry about security and “antivirus”. Well – I’m a Mac lover and I agree they have built a great system. But please don’t miss the threats that are being aimed at the Macs! Think about it. Mac lovers are willing to spend a little more on a good system. In the short term, they were not targets. But now – as the world is getting more sophisticated, as are the bad guys, Macs and Mac users are targets.
Yeah for Macs. I love them! I want one! I used to work for an organization that was all Macs! That is, until Windows ’95 came along and offered some of the things that the Mac folks already knew and had been enjoying for a number of years! But – Windows ’95 came in at a better price! It took probably fifteen years for the Microsoft folks to get up to speed with the Macs – and I don’t’ think they’re there yet – but they definitely have the market share. Finally the Microsoft folks are getting their operating systems, and software, to a more secure level. The Mac folks have still been sitting back there for the last 15 years wondering when they (Microsoft) would catch up!
I love the fact that the Mac went to an underlying system that is Unix based! More of us will be able to understand and want the Mac for just that reason! Their systems are tough both physically and electronically! But – they are being targeted – not a lot, but enough to make the Mac users hesitate. First – their file system is set so that “everyone” has read permissions for any newly created files. Friends – stand up and take notice. You do need to be sure your systems are secure. You do need to purchase and install an antivirus program. You do need to use the firewall. OS X comes with a built in firewall, but you may want to change the configuration. For help with hardening your Mac platform, check out SANS MAC OS X Security Checklist at http://www.sans.org/score/macosxchecklist.php.
Network administrators may also need to help your Mac users. Macs can’t just be “left alone” … if they are on your network, you need to understand how they work, and what they are capable of. Those Macs are mighty powerful systems – and you want them on “your” side, not the bad guys’ side! The SANS Checklist also includes information about the MAC as a server. It is a “must read” for Network Administrators!
Sophos just had a great article about the latest threat to the Macs. They even have a video showing how easily they can be exploited. Please check it out at http://www.sophos.com/pressoffice/news/articles/2009/03/mac-malware.html . It is worth the time and money to put an antivirus on your Macs!! There are several options, also outlined in the SANS Checklist, including some enterprise options.
Mac users – go forth and enjoy – safely!!
Yeah for Macs. I love them! I want one! I used to work for an organization that was all Macs! That is, until Windows ’95 came along and offered some of the things that the Mac folks already knew and had been enjoying for a number of years! But – Windows ’95 came in at a better price! It took probably fifteen years for the Microsoft folks to get up to speed with the Macs – and I don’t’ think they’re there yet – but they definitely have the market share. Finally the Microsoft folks are getting their operating systems, and software, to a more secure level. The Mac folks have still been sitting back there for the last 15 years wondering when they (Microsoft) would catch up!
I love the fact that the Mac went to an underlying system that is Unix based! More of us will be able to understand and want the Mac for just that reason! Their systems are tough both physically and electronically! But – they are being targeted – not a lot, but enough to make the Mac users hesitate. First – their file system is set so that “everyone” has read permissions for any newly created files. Friends – stand up and take notice. You do need to be sure your systems are secure. You do need to purchase and install an antivirus program. You do need to use the firewall. OS X comes with a built in firewall, but you may want to change the configuration. For help with hardening your Mac platform, check out SANS MAC OS X Security Checklist at http://www.sans.org/score/macosxchecklist.php.
Network administrators may also need to help your Mac users. Macs can’t just be “left alone” … if they are on your network, you need to understand how they work, and what they are capable of. Those Macs are mighty powerful systems – and you want them on “your” side, not the bad guys’ side! The SANS Checklist also includes information about the MAC as a server. It is a “must read” for Network Administrators!
Sophos just had a great article about the latest threat to the Macs. They even have a video showing how easily they can be exploited. Please check it out at http://www.sophos.com/pressoffice/news/articles/2009/03/mac-malware.html . It is worth the time and money to put an antivirus on your Macs!! There are several options, also outlined in the SANS Checklist, including some enterprise options.
Mac users – go forth and enjoy – safely!!
Friday, April 3, 2009
What's Up With DNS?
DNS (Domain Name Service) is that wonderful service that translates domain names to IP addresses, like sans.org to 66.35.45.201 or yahoo.com to 68.180.206.184. DNS is inherently a very troubled, insecure service. It uses UDP port 53. UDP is one protocol in the TCP/IP protocol suite that is used for transport. UDP is sometimes referred to as "Spray and Pray" because it just sends packets out and hopes they get to their destination. UDP is called an "unreliable protocol" as there is no guarantee of delivery or reponse for that matter.
So what's all the hubbub about DNS being such a problem? First - it may take a little time to get your answer back. You type in your browser "www.yahoo.com" and you wait for a connection. Behind the scenes, a UDP request goes out to your "name server" who will attempt to translate the words to an IP address and send your brower request to that address. If your "name server" doesn't know the answer, they send the request up the chain to another "name server", until someone along the line knows how to translate the name to its IP address. This week two of the big name servers, Neustar and Register.com, were both hit with DDOS (Distributed Denial of Service) attacks. Several big companies were affected, including Amazon and Petco. They reported a huge increase in name service requests, to the point that they were unable to service all of the requests. The result ... you probably would not be able to connect to Amazon.com.
This is just one of the many problems with the current DNS standard. To learn more about how DNS is set up, see RFC 1035 for the Implementation and Specification document. "RFC" stands for "Request for Comment" but the RFCs are the definitive documents on how things work in the Internet protocol world!
So what's all the hubbub about DNS being such a problem? First - it may take a little time to get your answer back. You type in your browser "www.yahoo.com" and you wait for a connection. Behind the scenes, a UDP request goes out to your "name server" who will attempt to translate the words to an IP address and send your brower request to that address. If your "name server" doesn't know the answer, they send the request up the chain to another "name server", until someone along the line knows how to translate the name to its IP address. This week two of the big name servers, Neustar and Register.com, were both hit with DDOS (Distributed Denial of Service) attacks. Several big companies were affected, including Amazon and Petco. They reported a huge increase in name service requests, to the point that they were unable to service all of the requests. The result ... you probably would not be able to connect to Amazon.com.
This is just one of the many problems with the current DNS standard. To learn more about how DNS is set up, see RFC 1035 for the Implementation and Specification document. "RFC" stands for "Request for Comment" but the RFCs are the definitive documents on how things work in the Internet protocol world!
Wednesday, April 1, 2009
Are we April fools, or just foolish?
We’ve made it through April Fools Day without an incident with the Conficker worm. Perhaps it has taught us a lesson or two. There have been a lot of people getting their computers “up-to-date” these last few days with the threat of something possibly happening. That has to be a good thing. Some of us will be a little more confident in our “effective posture” on April 2nd. Let’s see if we can keep up the good work without becoming complacent after a few days go by!
Another new threat emerged this past week – a new worm that is targeting routers – primarily home routers. It is supposed to be very stealthy – that means it will be hard to detect that you have been compromised! Many of us have our home wireless routers in place – perhaps we did our due-diligence when we set them up. But many people have put them in place without understanding what they do, or taking the time to change the default passwords! So this brings up a couple of basic security premises for routers:
1) Always change the default password! 2) Patch! Patch! Patch! 3) Turn off management access from the Internet.
So - we're back again to passwords and patches! And - why expose our management interface to the Internet if we don't need to? It's sort of like looking your front door!
Another new threat emerged this past week – a new worm that is targeting routers – primarily home routers. It is supposed to be very stealthy – that means it will be hard to detect that you have been compromised! Many of us have our home wireless routers in place – perhaps we did our due-diligence when we set them up. But many people have put them in place without understanding what they do, or taking the time to change the default passwords! So this brings up a couple of basic security premises for routers:
1) Always change the default password! 2) Patch! Patch! Patch! 3) Turn off management access from the Internet.
So - we're back again to passwords and patches! And - why expose our management interface to the Internet if we don't need to? It's sort of like looking your front door!
Subscribe to:
Posts (Atom)
