Thursday, 26 November 2015

New Dell computers and online security

A certificate security issue has been identified on recently-sold Dell computers. Computers affected can be tricked into believing that fake sites are legitimate. To test if your computer is vulnerable:


Technical details of the issue can be found at: http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/

Friday, 20 November 2015

Ransomware - Why Antivirus Software is not Enough

This post was brought about by a recent telephone enquiry regarding preventing ransomware infections.  I thought it would be sensible to write a non-technical discussion of ransomware.  I pondered over what to include for some time as, even a non-technical article, was in danger of becoming very long.  In the end deciding on the Frequently Asked Question format below.

What is ransomware?

Ransomware is a form of malware, that will attempt to encrypt data files.  Typically, these files will be spreadsheets, word processing documents, pictures and so on.  In short, a large amount of any organisation’s or person’s valuable data.  After the encyption process has been executed the user will be offered the access to decrypt key in return for paying an amount of money.  Usually, this will be in the form of an untraceable BitCoin transaction.

Why can’t you just “unencrypt” our files?

The encryption used is very “strong”.  Without the necessary “key” it is not possible to reverse the encryption process.  So called “brute force” (in simple terms, guessing the key) might get there, but in several hundred years.  In some cases law enforcement have caught up with the bad guys and published the keys recovered, which can then be used to decrypt infected files.(1)

Why do the bad guys do this?

It is incredibly lucrative for them.  This year alone, it is believed that the group behind the “Cryptowall” has made US$325 million.(2)

How would it get on to our computers?

Ransomware infection can have a number of sources.  Most commonly, an e-mail with an attachment or a link to an infected website.  Some of these are bulk e-mails that try to catch the unwary, such as speeding fine notifications(3).  We do, however, see attempts at infection that are clearly targeted to the organisation that receives the e-mail.  For example, property lawyers receiving e-mails with subjects like “Property listing in suburb A”.  Unfortunately, an infected website may not an obscure, not suitable for work site.  The bad guys are very well resourced (see the figure of US$325 million above) and will go to lengths to compromise seemingly safe, well known websites.(4)

But, we have anti-virus software, won’t that protect us?

It is possible that your anti-virus software will detect the ransomware, unfortunately it will almost certainly be around 48 hours after all your files have been encrypted.  The well resourced bad guys go to great lengths to avoid their malware being detected by current virus checkers.  This is not to say that we can all stop running anti-virus software; it is still required.  It is just not enough to prevent ransomware infection.

So, how do we protect our system?

You absolutely must have good backups.  This won’t prevent infection but it will allow you to recover if the worst happens.  The primary defence, we are implementing, against ransomware infections is “Software Restriction Policies”.

Software Restriction Policies - how do they work?

Very simply:  SRP will only allow programs to run from certain locations.  If the end user cannot save a file in any of those locations because of configured security they cannot run an inadvertently downloaded ransomware tool.  That is a very simple explanation of a complex configuration, but does cover essentially what SRP does.

Is that enough?

For now yes.  Unfortunately, we are already seeing malware loaded e-mails that appear to be trying to circumvent Software Restrictions.  We will post updates as the threat evolves.


Sources
(1) http://thehackernews.com/2015/10/ransomware-decryption-tool.html
(2) http://www.theregister.co.uk/2015/11/09/cryptowall_40/
(3) http://www.abc.net.au/news/2015-04-28/act-police-warn-of-scam-traffic-fine-emails/6427874
(4) http://www.infosecurity-magazine.com/news/142-million-legit-websites-deliver/




Wednesday, 11 November 2015

Nagios - a Non-Technical Explanation

Tim's article describing how he is using Nagios to monitor printer toner levels (http://www.wkconsulting.com.au/2015/10/nagios-script-to-monitor-hpkyocera.html) set me thinking that the possible reactions would be like this.  A tech already using Nagios might think "Just what I need to avoid running out of toner at my branch offices!".  Another tech might say "they're still using Nagios!"  Everyone else (and probably some techs) would probably think "What is Nagios?"

I thought I would write an article aimed at the latter group.  I cannot go past stealing Wikipedia's summary of what Nagios is:
Nagios /ˈnɑːɡiːoʊs/, an open-source computer-software application, monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved

We use Nagios in a couple of ways.  Firstly, we run a WKC Nagios server that monitors key systems for clients.  Primarily, we know about problems and outages very quickly.  Certainly, there have been several occassions where I have called a client to tell them an Internet link has gone down before they had noticed themselves.  Also, Nagios is useful to gather trends, see Tim's graph of toner levels.  This might also be server storage utilisation, for example.

Secondly, for larger clients, with multiple branch offices we may install an in-house Nagios system.  This would monitor and record considerably more metrics for that particular client's network than our own Nagios system would.

The figure below shows a screenshot of our own Nagios system.

I picked a screenshot that shows a day when we had to check a couple of USB backups.  (The ones shown "snapshot" during the day using ShadowProtect to Network Attached Storage, which is then synchronised to USB disks that are taken off-site.  Perhaps, the backup regimes we put in place to fit a particular client will be the subject of another article in the future.)

Nagios is quite venerable.  We started using it in 2005.  Geoff did most of the work bringing monitoring of clients' systems online with our Nagios implementation, when he joined us in 2006.  We have considered Icinga and Zabbix as alternatives but Nagios is doing a great job for now.  If anyone has migrated from Nagios to another system and seen benefits please let us know in the comments.