Using defence in depth to mitigate the risk of ransomware

I've written before about the evils of crypto locker and the spawn of that devilish state of affairs known as ransomware. Recently I came across an infection and saw first hand how defence in depth can save your data and the bitcoin.

Firstly, let's consider the perimeter of the network. What vectors for attack exist externally to the network? There are many and they include:

• malicious emails
• dodgy websites with malicious payload 
• malicious actors (hackers) out to get you

The first layers of defence include (in this case):

• an antivirus/antispam gateway for email, with the firewall at the main router allowing only connections on port 25 (smtp) from the mail scanner gateway
• antispyware/antivirus email on the computers scanning every website that a user visits, plus using OpenDNS with a variety of restrictions on it to protect the user from themselves
• firewalls and obfuscated ports where applicable with minimal "open-to-the-world" ports

That's the hard outer layer. Past the router / firewall and onto the network, we use:

• firewalls on all PCs (granted only the windows ones, but supplemented with the anti-virus product's offerings)
• WSUS to keep everything patched and up to date
• VLANs to separate out stuff
• usernames / passwords for access to all network resource

To further enhance security:

• all backups go to a UNC path (i.e \\nas\backups) rather than a mapped drive (like an S:\ drive) which is important because ransomware will attack both local drives and network mapped drives - encrypted backups are 100% useless
• users have restrictions based on principles of least privilege and this is rigorously enforced
• servers are also patched and up to date
• logs are maintained on a separate server
• PRTG is used to monitor network traffic on the switches and a variety of other stuff

So what happened and how did this all help to mitigate a ransomware attack?

Well a user, let's call him Jim Bob, has a very weak password. Let's say it's Secret01 (yes if this is your password, it is shite. Change it now!)

An external attacker managed to get Jim Bob's username, and then proceeded to attack the remote desktop services to see if they could brute force their way in. What would you know, about 2 hours after starting, they got the password and were in. This could have been mitigated by having a password locking system turned on, but remember - you have to balance usability with security. This particular organisation struggles with passwords at the best of times, so locking a user out after 3 failed attempts for 10 minutes would have very high frustration levels as a result.

The attacker now had access to a server. But - Jim Bob's account was extremely limited. He just couldn't do much - he didn't need to. Basically log on and access the internet. That's him to a tee. This therefore, is all the attacker could do. Frustrating I bet!

Along comes the admin and logs on. The attacker - seeing a systems admin hit the server panics and drops a ransomware payload, probably thinking they'll get some sort of a payday somehow. Their ransomware attack manages to get a foothold on a mapped drive. The security on that mapped drive allows for only a small percentage of accessible files to be encrypted before the wily sysadmin spots it and locks Jim Bob's account down, and shuts off the file server. 

Our defence has now limited the risk by controlling the access to files and what could be attacked. And it gets better. Our snapshot backups are working as advertised and have a 15 minute old copy of the entire mapped drive's file system. With a few clicks, our intrepid sysadmin restores the whole lot over the next hour. Hundreds of files, barely out of date and only in a few instances. Within a few hours, Jim Bob's account has been restricted, password changed and the user Jim Bob given a kick in the bum for having a crappy password and the network drive is fully recovered.

Although our initial defensive line was penetrated (users can be your greatest security risk), the rest of the network's defences held firm mitigating the impact of the attack and the organisation's exposure to loss of data. No pay day for our arsehole attacker today! I like to think of how sad they must be, all that effort and no reward.

In the wash up, the sysadmin goes through and using the logs, PRTG and combing files finds the attacker's trail and mops up after them, making notes on what failed and how to improve it for next time. 

The moral of the story is this - defence always loses. Attackers will win. All we can do is to mitigate the damage and risk to the best of our capabilities and budget. Hopefully you will read this and get a few little ideas about how to perhaps enhance your existing defence, or even think about what attack vectors might exist. This pretend network is by no means perfect - it could always be better. Budget and skill restrictions come into play though and mean we have to find the best effort with whatever we've got at hand to make it work. Be smart and get margin into your security so a break in doesn't break your heart or your budget!

Samsung Gear Fit vs Apple Watch 2 - a review and comparison

Recently I was given an Apple Watch 2 - it's very nice and I've replaced my Samsung Gear Fit with it. After wearing the Watch for a week, there have been a few tangible differences between the two I thought it might be worth noting. If you're unfamiliar with the devices they look like this:

These images are the same as the devices that I have. The physical differences are obvious - the Apple Watch is significantly bigger, with the more square face. Both have OLED displays which make for bright, colourful GUIs. Both are touch screen and both share a variety of internal sensors like heart rate and accelerometer. The Gear Fit is lighter, narrower and for what I've used it for - holds a longer charge than the Apple Watch. The Apple Watch has many more sensors - including GPS/GLONASS and WiFi, checks your heart rate with great frequency daily and keeps telling me to "Breathe"! (this gets a bit annoying after a while)

Here are a few of the summary differences I've found in the last week (and please bear in mind I wore the Gear Fit for 2 years before replacing it).

• The sleep function on the Gear Fit is much better than the Apple Watch - you have to get a 3rd party app for the Watch which I found annoying. It's built into the Gear Fit, mutes and blocks the device and gives you some nice reporting via the Samsung Health app. Also, access to the sleep function I found is better - put the Fit into sleep mode and it's ready to track your sleep, then give you a report in the morning when you turn it off. The Apple Watch - using the AutoSleep app, alleges that it can work out when you go to sleep and then when you get up via some sort of magic I assume. I'm still trying to figure out the meaning of the sleep reporting (which is irritating in and of itself).
• The Watch hasn't locked up yet but the Gear Fit has twice in the last week. This is a full reboot, and lose all of your sleep data - something that happens with semi frequency on the Fit and is quite annoying.
• Notifications are roughly the same through both - configurable and fairly useful. The ability to send detailed replies with the "Scribe" function (you use your finger to write each letter) on the Apple Watch is pretty neat - I've used that several times.
• Both watches can answer the phone, or more likely - divert to message or voicemail. The Apple Watch you can actually talk into the watch and I've been on the receiving end of that a couple of times. It wasn't bad really, but I think you'd feel like a dill talking into your watch like Get Smart rather than use the phone.
• the summary from the Samsung Fitness software is much better than what Apple Health provides (at least for me). I find the sleep data and the way its presented to be significantly better than the Apple information. The Samsung software tells you how often you got to bed on time, and how often you got up on time. I like that. It provides a small sense of accomplishment just for getting my lazy backside out of bed in time.

As a bit of an update to this review - it's been an extra week of using the Apple Watch and I'm still unimpressed by the sleep thing. I have set aside some time to look into this in greater depth because I feel it's so lacking. Keep an eye here for some more info. The alarm feature on the Apple Watch has been pretty good. The vibration on the wrist isn't startling to wake up to, and it doesn't disturb my wife (which she is happy about). 

In summary both of them are really quite good devices. They lock you into their respective ecosystems (Samsung vs Apple) and this is to be expected, potentially not loved though. For purpose, I think the Gear Fit was better for tracking sleep, better battery life and a robust device. The Apple Watch's aesthetics are lovely, it has a tonne of functionality and I've barely scratched the surface of it. I'll go into it more as I play with this thing a bit. It's easy to see where the extra value in the Apple Watch is.

Mint 18.2 Review

Linux Mint 18.2 in the wild!

I’ve just upgraded to Mint 18.2 from 18.1 being the (sort of) early adopter that I am. Realistically there was no good reason to do this - 18.1 was running well and doing everything I need, except to get any new bits and pieces that come with .2. There are some nice new desktop pics (quite beautiful ones actually), but not much I can see that is really different. It's still running Cinnamon, so there haven't been any gigantic changes in the UI in a while. I’m running it on a Lenovo M series desktop that I’ve had for some years and it’s a beast of a machine so any performance upticks in the new version aren’t really noticeable. Here are the release notes : http://blog.linuxmint.com/?p=3289 and they're worth a quick perusal.

I did find that my desktop icons all disappeared. As a result I experienced sadness :-(

Fortunately I found the solution. The nemo-desktop application is no longer running. I found it (/usr/bin/nemo.desktop), ran it and voila - icons are back! I’ve added it to the startup applications and that fixes that.

I really enjoy the ease of the upgrade process - it’s fast and straightforward using the excellent Mint Update Manager. The download was around 400MB but the mirrors are all quick and it was quite painless. A fast reboot and I was back in business. I also took the opportunity to upgrade the Nvidia drivers I have (for my whiz bang graphics adaptor) and after another restart I was done. As a result, my primary work computer was fully upgraded and operational in about 20 minutes - much better than the Windows 10 computers I've just got that need a 4GB upgrade out of the box (!)

Mint 18.2 “Sonya” new stuff:

• LTS release so supported until 2021
• Cinnamon 3.4 apparently has many new icon management features (I’ll have to try this out now I’ve got icons back!)
• Plugins for Cinnamon run in their own process
• Add-ons called “spices” have been added - check them out on the Cinnamon Spices website here: https://cinnamon-spices.linuxmint.com/
• Various app upgrades including xed, update manager, xviewer, xreader and LightDM - the new login manager.
• Ships with Linux Kernel 4.8.0-53

Get it via Update Manager or from the Linux Mint website: https://www.linuxmint.com/download.php

pi-hole - awful name, great product!

Advertised as "A Black Hole for Internet Advertisements" pi-hole (https://pi-hole.net/) goes a long way to living up to this reputation.

What is it?

pi-hole is a domain name server that can be installed with one command onto a Linux box or Raspberry Pi running Raspbian or similar. Once this is done, an update to your site's DNS records and all queries get pushed through the pi-hole, blocked as appropriate and then sent out to the world.

We are running it on an Ubuntu 14.04LTS virtual server, with 1GB of RAM and a single vCPU - and the DNS response time is quite acceptable. A tiny server will run this software quite easily.

Why use it?

If I'm looking at websites and browsing around, typically I'm not just getting my content that I want - there's a bit more sneaking through. Ads! Most sites will use advertisements to make money and I have no problem with this. My issue usually stems from having too many of the damn things popping up and chewing up resources like bandwidth and screen space. That's where pi-hole fits into the picture. Currently it's blocking over 100,000 different sites. We've noticed an improvement in web page speed and in testing - by going to www.news.com.au , we found that there was quite a few domains blocked.

Here is an example of our office's information from this morning (midnight to noon)

5% of our queries blocked! That's a reasonable amount of traffic in a 5 person (at the moment) office. Imagine if it were 100 people or more?! The amount of DNS requests and the traffic would drop considerably.

Additionally, pi-hole has provided some protection from malicious attacks via dodgy websites - these seem to get blocked as well and the additional safety is great to have - particularly when the cost is virtually nil. Combine it with OpenDNS as the relay (the next step in the DNS resolution trail) and the possibilities for controlling your DNS with a high degree become more realised.

We've been happy with our little pi-hole (oh that name is dodgy). Try it out :-)

MacBook Pro (late 2016) first impressions

One of my clients who is a bit of an early adopter grabbed a new MacBook Pro (MBP) last week. It's the 15" i7 wizzbang bit of gear that looks really quite lovely. He asked me to migrate his data from his old MBP to the new one. I ran a full backup to external USB and it was all going swimmingly, and then I remembered - damn! The new MBP's don't have regular USB! They only have USB-C! Aaargh. Fortunately the Apple Migration tool is great and I was able to punch it all across via wireless (this is very slow - I recommend an alternative via ethernet)

After using the machine for an hour or so this morning, this is what I've come up with:

Pros:

• The screen is gorgeous - the Retina screen is just so lovely to look at and has such awesome colour depth. I really liked it. Flicking through some of the desktop images and pictures showed the resolution and colours beautifully. I reckon my next one has to have this
• the touch bar above the keyboard - I thought this would be gimmicky but after a bit of use I found it quite handy. I do miss my Function keys though.
• touchpad - this is responsive and super accurate. One of the biggest faults I have with a laptop is the poor accuracy and/or speed of the touchpad. This one was quite nice (although it has it's faults)
• physically a very easy laptop to move around - light but solid construction and good hinges on the screen

 The Expected

• great build quality (like other MBPs - even my 5 year old one)
• snappy - i7 processor (2.6Ghz Quad Core i7)
• lots of RAM (16GB)
• fast disk (256GB PCIe-Based SSD)

 In short - I expected high performance from this laptop and while it was crunching the iPhoto database from the old machine, I installed and ran Parallels, with a full Windows install running some fairly intensive image software and the thing didn't miss a beat. It really cracked along and I expected that to be the case.

 Cons:

• The Keyboard - is shite. I'm sorry but the keys have no feeling to them, bugger all travel and just have a weird texture that I didn't like. I was jumping between the client's mid 2012 MBP and this brand new one and the comparison was no favourable. Seriously - typing is a kinesthetic experience. How about a bit of nod in that direction?  Check out Lenovo's L series laptops for a great typing experience. I hated the keyboard
• The touchpad clicks - while the touchpad was accurate and fast, the clicking feeling again was sub-par for me. I like a bit of tactile response (as you've guessed) when I'm wailing away on the keyboard. I don't want to have it feel like a tablet (which I despise typing on) or a phone (also = despise)

That's really all. For me though that keyboard is almost a deal breaker. Perhaps I'd get used to it over time though (if someone wants to give me one of these toys to play more with). Would I buy one for? There's a very high probability of that. It really is a well constructed laptop.

Here is the link to the model closest to what I was playing with: http://www.apple.com/au/shop/buy-mac/macbook-pro/15-inch - for $3600 it's a big price tag for a pretty decent machine. Is it worth it though? Well I had a bit of a poke around and looked at Lenovo's site. For a similar machine (size, processor, RAM, disk etc) Lenovo have a nice little ThinkPad P50.

Specs are:

System component

• Intel Core i7-6700HQ Processor (6MB Cache, up to 3.50GHz)
• Windows 10 Home 64
• 15.6" 4K (3840x2160), anti-glare, IPS
• 16GB DDR4-2133MHz SODIMM (8GBx2)
• NVIDIA Quadro M1000M 4GB
• With Color Sensor
• 720p HD Camera with Microphone
• Backlit Keyboard with Number Pad - English
• Integrated Fingerprint Reader
• 256GB SSD PCIe-NVMe OPAL2.0
• 170W AC Adapter - ANZ (3pin)
• 6 Cell Li-Polymer Battery, 90Wh
• Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 No vPro
• 1 Year Depot
• 
  

And this is $5050! See: http://www3.lenovo.com/au/en/workstations/thinkpad-p-series/P50/p/20ENCTO1WWENAU0 

I've specced it up from the basics to get close to the MBP. Hopefully this provides you with a little bit of perspective when you look at the MacBook's price. The Lenovo is a well built bit of kit too - I've used one of these before. The build quality isn't up to the MacBook though. It doesn't have the clean lines and aesthetics of the Apple products either. Still, I'll take either one if someone wants to give it to me!

The unintentional DoS

DoS - Denial of Service

Over the weekend it was very hot here - 39C over both days and air conditioning was being pushed pretty hard. My team and I had two unrelated, but linked situations evolve that could have hit us with a DoS. You see, we have a network attached storage device (NAS) that had a fan failure. While this NAS has redundant fans in it, one wasn't enough to keep the temperatures under the 55C warning threshold. So it started to complain....

Over the course of the 48 hour weekend, this NAS sent out over three and a half thousand emails! 3500+ emails! All to our logging email addresses, which then sent it out to the members of the team. 5 team members, 3500+ emails.... 17,500 emails being sent and received. That's a lot email in a short time. Most email servers will handle that and ours certainly did. Fortunately too we use G-Suite (Google Apps new fancy name) and so the volume of mail wasn't an issue.

What became an issue though - and this did have an effect on our phones and mobile devices picking up email - was that another network device - a disaster recovery server - also suffered heat stress from failed air conditioning. A sparky had unplugged our monitoring device to charge his tools and hadn't plugged it back in, so we had no idea what was happening (this was Sunday afternoon). When the A/C failed, the server turned off and the replication servers started to complain - four of them, every 30 seconds.... Over 12 hours those servers alerted our logging email address over 5,000 coming in and going back out - another 25,000 emails hitting phones plus the other emails as well.

Having had the discussion with clients about hosted email solutions versus onsite solutions, there are definite advantages to having huge servers managing your email. So if you don't have a cloud based solution, how can you mitigate this risk?

Defence in depth is a great place to start. Organise to get a mail exchanger - MXGuardDog or something similar. Westnet used to do one too. Get your MX records updated to punch mail through that. These then relay to av-relay.domainname.com. Configure your firewall to only accept emails from the IPs at MXGuardDog (for example) and drop everything else (or at least grey list it so it gets dropped and the sending server can try other MX records).

This way you can temporarily control the flow without having your ADSL or NBN connection getting flogged to death.

Configure your internal mailer to hold emails for this kind of thing - to recognise a flood of email and trickle it out where possible. The risk is that legitimate email (which these emails both are and aren't) will get lost in the flow. It's better than having your upload link fully saturated though (which will kill all internet connectivity).

DoS are bad. DDoS are worse. Let's try to avoid doing it to ourselves!

3 Word Processors compared - Microsoft Word, Apple Pages and Google Docs

In the course of work and university I've been jumping a bit between Word, Pages and Docs for various reasons. I thought it might be useful to compare them. Let's start.

Price

• Google Docs is included either in a free Gmail account or G-Suite. Its available for free on your mobile device with native apps on iOS and Android
• Pages is $30.99 and can be found in the Apple Store. It's included in iOS on the iPhone or iPad
• Word is part of the Microsoft Office Suite. The cheapest of which is Office365 Personal (for Mac) which is $89 inc GST per year (See the Microsoft Office pricing page here). Includes a licence for a single mobile device

On price Docs is the obvious winner. Free to get access to and solid support on mobile devices. 

Usability

All three of these applications are very useable - but which one is *most* usable? Google Docs is a clean, uncluttered interface with relatively few options available:

Simple and uncluttered with everything there and looking like every single other word processor through history.

Pages has a different take on it, and one that can be a bit confusing to begin with.

The sidebar gets added into the mix, and many controls are moved out of the top menu and into here. I don't mind this personally, but I do find on the MacBook that I dislike losing the screen real estate to this menu. It is functional though.

Word has the infamous "ribbon". This is the Office365 version of it:

Since Microsoft changed the menu titles back to being in regular capitals / lower case, the readability of these menus has improved immensely. I remember when the ribbon came out and people loathed it. It just is now and I find it to be quite useful. The drawback for me with Microsoft Word is the sheer number of options available. We are spoiled for choice, control and capabilities and it can be overwhelming at times.

The usability winner is a totally individual choice and I leave it up to you to decide. Personally I like Pages but I'm ok getting around all three.

Functionality

This is a big one to consider. Word has clearly got it all (and most users will touch about 10% of it's capabilities day to day). Pages is likewise heavy on features and Docs comes in last, with its smaller range of functions. I think because Docs is web based then it was forced into more simplistic functionality and Google had to really choose the key word processing capabilities to include.

There is one function that stands Word out from Pages though in these heavy hitters. The ability to have a section in landscape, while the rest of the document is in portrait is not available in Pages (that I could find). Now most people probably won't care about this overly, but for me, if I'm inserting a large landscape graphic or big table it is critical and stupid Pages won't do it. Very frustrating. I've never really tried it in Docs, but a 3 second Google search shows it's not possible. Word wins for this!

All three offerings have Table of Content, header, footer, page numbers, insert stuff blah blah - you get the drift. All the basics and day-to-day stuff is there, and its only the more advanced activities where they are differentiated.

Aesthetics

Which one is the prettiest? A very subjective question of course. It should be noted that Apple have spent a lot of time on fonts and appearance, but so have Google and Microsoft (they just aren't as talked about). This is up to you - but I rank them Pages, Docs, and Word. Word is a bit busy for me - lots going on and when I'm working on an assignment or report I need clarity. Docs is very good for this, but something about the Pages appearance appeals to me.

Things to note about the different applications

Pages is Apple centric - don't bother looking for it on anything that doesn't have the Apple logo. That being said, it integrates very well with iCloud and syncs to your mobile device quite happily. 

Word is starting to become ubiquitous everywhere - Microsoft have released Office365 in a web browser, it's installable and available as an app on most mobile devices. The experience is the same across them all and really is improving.

Google Docs is maturing constantly and more features are being added frequently. For collaboration it is King. See updates and writing by other people in almost real time and easily give various levels of access to documents. For working with colleagues Docs is the best - Pages and Word are not in the same realm.

osTicket and OTRS - a comparison

While I have been a fan of OTRS for many years and like the interface, reporting and usability of it, I recently chanced across osTicket (from the TV series Mr Robot). It looked interesting and a client I have wants an internal ticket management system (they had also seen it). After a bit of to and fro, they agreed to some research time and I set up osTicket.

My usual server OS is Ubuntu's latest LTS. In this case, 16.04LTS. The problem is, it ships with PHP7, and osTicket doesn't play nicely with that. There is a good tutorial over on Chubbable that's worth checking out: https://chubbable.com/osticket-install-guide/2#ubuntu-based

Have a look at that if you want to install it - it's pretty straightforward.

So my impression of osTicket is that its pretty good. The interface is reasonable intuitive and I've set it up at home to manage the stuff I'm going (but mostly just to play with it). There is a client interface and an agent interface. The Agent interface gives you access to tickets and tasks. Tickets are the top level action, tasks are a part of tickets. In this way, some basic project management can be applied. Here are a few different views that are available:

osTicket Dashboard

osTicket Task view - got some work to do on NFS No Limits!

osTicket Tickets

You can see in the Tickets there is an NFS No Limits ticket. Under the tasks panel, you can see I've broken this down further into the things I need to do with that Ticket. I imagine with multiple agents, the tasks could be spread around.

So why not migrate to osTicket? The ability to capture time in osTicket seems to be hideously complicated to implement. Perhaps I need to do more research into that, but in OTRS its pretty straightforward. For a company just interested in getting things done, then the time capture isn't so important, but for us - its a big part of the job being completed. Reporting is still something I need to investigate. The reporting in OTRS is great (once you get your head around it) so I'll be interested to play with osTicket a bit more and see how it goes. Stay tuned for more updates...!

2017 - a new year and new challenges in IT ahead!

Welcome back.

We've got a lot to do this year - the number of attacks is increasing again, Microsoft's new update policy will have it's full effect on the computing ecosystem and Linux will be a prominent part of this blog. Lots happening indeed....

We're at the 10th day of January and I've already had servers lose their Kerberos connectivity with active directory, our first cryptolocker infection and so much more.... I need a lot more coffee to deal with this pish.

Stay tuned - I'm hoping to get my hands on some new tech and describe, some old tech and revive it, and just generally putter around for your amusement.

So far I have learned this:

• MacBook Pro's (2012) can and do lose their wifi capability - I think the on-board adapter and finding one that works with a Mac can be tricky. 
• MacBook Air's have a battery problem - they turn off and won't turn back on until you remove the battery (an annoying exercise)

Plus all the stuff on fixing Kerberos etc which will be the subject of a post down the track.

Let's get to it.