E-mail is insecure by default because it is more like a postcard, not a sealed envelope

A number of people are under the misconception that when they draft and send e-mail, two things occur. Their message gets sealed in an envelope (that’s why you have to open e-mail right?) and that it goes directly to the person it was sent to via internet magic. The truth is your e-mail is sent in plain text (i.e. readable by anyone who picks it up along the way) and is passed around the Internet with multiple stops until it reaches its destination. People with evil intentions can intercept your e-mail, read it or even alter it before it reaches your intended recipient. April 30, 2013
Revoking security access isn’t always enough A California man has been arrested for interfering with computers at the California Independent System Operator (Cal-ISO) agency, which controls the state’s power transmission lines and runs its energy trading markets. Even though Lonnie C. Denison’s security access had been suspended at the request of his employer because of an employee dispute, he allegedly gained physical access to the facility with his card key. Once inside, Denison allegedly broke the glass protecting an emergency power cut-off station and pushed the button, causing much of the data center to shut down. Cal-ISO was unable to access the energy trading market, but the power transmission grid was unaffected. April 29, 2013
Stop! Nobody Sends Email to Dead People! One type of Phishing (fake emails to trick you into sharing your private financial details) is to send a note claiming to want to send you a sum of money but not being able to because they have been told you are deceased. The idea is for you to prove you are not dead by giving up your financial information. As always, if it sounds too good to be true, it is probably not true. If someone wants to contact you in order to give you a large sum of money, they will almost certainly do it by certified mail, not by email. April 28, 2013
Do NOT open unknown or unexpected e-mail attachments This morning I got an e-mail from my boss with an attachment. My boss is a man of few words on e-mail. If he wants to explain or discuss something with me, he picks up the phone. When he wants me to read or edit something we have talked about, he sends it to me. Even though the subject line was a date, the e-mail had no text, AND my boss hadn’t told me he was sending me an attachment, I opened it because it was from my boss at an e-mail address I recognized. Bad move. Imagine my surprise when my Norton anti-virus screen popped up with a message that the attachment contained a virus and had been deleted. Hackers had spoofed his address and I had fallen for it. April 27, 2013
Don’t be duped by Internet Fraud We all get offers that seem too good to be true. Whether they come by email or appear on web sites, they are often clever schemes designed to dupe the gullible. Don’t be tricked by Internet Fraud. For more information see http://www.lookstoogoodtobetrue.com. April 26, 2013
Check for encryption or secure sites when providing confidential information online Credit card and online banking sites are convenient and easy ways to purchase and handle financial transactions. They are also the most frequently spoofed or “faked” sites for phishing scams. Information you provide to online banking and shopping sites should be encrypted and the site’s URL should begin with https. Some browsers have an icon representing a lock at the lower right of the browser window. For more information about phishing, please visit http://www.onguardonline.gov/phishing.html April 25, 2013
Avoid spam in your IM email account Did you ever sign up with an Instant Messenger client so that you could chat with your buddies? Perhaps you have more than one running on the desktop. Each popular IM client comes conveniently with an Email account, and each time there is an email associated with your IM screen name, you receive a notice with this account filling up. You can prevent the spam or any email notices from appearing by using a single filter. Since I added the following filter on my email account attached to my Yahoo IM, I no longer get these notifications. Simply add a filter that the From/ Address includes

View the Original article

Don’t enter your username and password on any computer you don’t control.

Find Training Search For Training Upcoming Events Course List NetWars Ways To Train Training Curricula » Security Management Forensics Secure Software Development Penetration Testing System Administration Incident Handling Intrusion Analysis Audit Legal Cyber Guardian Group Discounts Calendars Live Training Search For Training Upcoming Events Summits Community Events Mentor OnSite Work Study COINS Online Training Search For Training CyberCon vLive OnDemand Simulcast » Event Custom Security Awareness SelfStudy Programs Voucher Credit Cyber Guardian Cyber Ranges Hacker Guard Cybersecurity Innovation Awards Enterprise Solutions CISSP Get Certified DoD 8570 Resources Reading Room Webcasts Newsletters Blogs Top 25 Programming Errors Top 20 Critical Controls Security Policy Project From Vendors Additional Resources Vendor Overview Sponsorship Demographics Events Contact About About SANS Why SANS? Instructors Contact SANS SANS FAQ Link to SANS Press Room PGP Key PGP Key – Local Copy Security Awareness Tip of The Day

View the Original article

Use Outlook? Use the Auto-Preview, not the Reading Pane

If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview: Open Outlook. Choose View -

View the Original article

Don’t enter your password on an untrusted computer.

A password is only as secure as the computer or network it is used on.

Bad Guys target public kiosk-type computers and wireless networks, such as those in Internet cafes, conference centers, hotels and motels, and airports. The instant you type your password on a computer that is infected or rigged, or on one using a compromised wireless network, the Bad Guy has got that password for good. This is one reason why you should change your passwords on a schedule, and never reuse a password on several computers or systems. Regard all public-use computers as untrustworthy. If you have no choice but to use a public computer, change your password before you log off or at the next available opportunity. May 3, 2013
Use Outlook? Use the Auto-Preview, not the Reading Pane If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview: Open Outlook. Choose View -

View the Original article

Watch out for shoulder surfers

who read over your shoulder or try to steal your password. If you have your back to the door or an open cubical wall, get a rear view mirror to stick up and watch behind you when youre typing. This also prevents office pranksters from sneaking up on you. When in public places, such as Internet cafes, always try to sit with your back to a wall to prevent onlookers. Glass walls dont count — thieves can look right through them! May 4, 2013
Don’t enter your password on an untrusted computer. A password is only as secure as the computer or network it is used on.

Bad Guys target public kiosk-type computers and wireless networks, such as those in Internet cafes, conference centers, hotels and motels, and airports. The instant you type your password on a computer that is infected or rigged, or on one using a compromised wireless network, the Bad Guy has got that password for good. This is one reason why you should change your passwords on a schedule, and never reuse a password on several computers or systems. Regard all public-use computers as untrustworthy. If you have no choice but to use a public computer, change your password before you log off or at the next available opportunity. May 3, 2013
Use Outlook? Use the Auto-Preview, not the Reading Pane If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview: Open Outlook. Choose View -

View the Original article

Don’t be an unintentional spammer

If you’re like most people, you’ve probably received at least one hoax or chain letter in your inbox. What should you do with the next one you receive? Delete it! Why you ask? Because chain letters and hoaxes have the potential to cause problems (lots of network traffic or just filling up someone’s inbox) and they can also be very annoying. Visit the following sites to find out more about hoaxes and chain letters.http://www.snopes.comhttp://www.breakthechain.orghttp://hoaxbusters.ciac.org May 6, 2013
If you print it, go get it right away! Dont leave important, sensitive, or confidential material lying around the office. Common printing areas are frequented by people coming and going. Often you will be in line to pick up your documents and others may handle them before you. This leads to unnecessary information disclosures. One boss had a print job disappear, and had e-mailed the whole floor about it. The pages never turned up. Always use the closest print station, or a dedicated printer for confidential information, and go get it right away! May 5, 2013
Watch out for shoulder surfers Watch out for shoulder surfers who read over your shoulder or try to steal your password. If you have your back to the door or an open cubical wall, get a rear view mirror to stick up and watch behind you when youre typing. This also prevents office pranksters from sneaking up on you. When in public places, such as Internet cafes, always try to sit with your back to a wall to prevent onlookers. Glass walls dont count — thieves can look right through them! May 4, 2013
Don’t enter your password on an untrusted computer. A password is only as secure as the computer or network it is used on.

Bad Guys target public kiosk-type computers and wireless networks, such as those in Internet cafes, conference centers, hotels and motels, and airports. The instant you type your password on a computer that is infected or rigged, or on one using a compromised wireless network, the Bad Guy has got that password for good. This is one reason why you should change your passwords on a schedule, and never reuse a password on several computers or systems. Regard all public-use computers as untrustworthy. If you have no choice but to use a public computer, change your password before you log off or at the next available opportunity. May 3, 2013
Use Outlook? Use the Auto-Preview, not the Reading Pane If you are using an older version of Outlook, or if you have managed to reset the security level for e-mails, then you may be at some risk for HTML script-based exploits. Auto-Preview displays the first three lines of the message, enough to identify whether the message is valid, and it displays faster. Here is how to use it.
Disable the Reading Pane and Enable Auto Preview: Open Outlook. Choose View -

View the Original article

Don’t Trust Links Sent in Email Messages

A common fraud, called “phishing”, sends messages that appear to be from a bank, shop or auction, giving a link to a fake website and asking you to follow that link and confirm your account details. The fraudsters then use your account details to buy stuff or transfer money out of the account. These fake sites can be hard to spot, so no reputable organization will send a message requesting your confidential information.

View the Original article

Bejtlich Teaching New Class at Black Hat in July

I’m pleased to announce I will teach two sessions of a brand-new two day class at Black Hat USA 2013 this summer. The new class is Network Security Monitoring 101. From the overview:

Is your network safe from intruders? Do you know how to find out? Do you know what to do when you learn the truth? If you are a beginner, and need answers to these questions, Network Security Monitoring 101 (NSM101) is the newest Black Hat course for you.

This vendor-neutral, open source software-friendly, reality-driven two-day event will teach students the investigative mindset not found in classes that focus solely on tools. NSM101 is hands-on, lab-centric, and grounded in the latest strategies and tactics that work against adversaries like organized criminals, opportunistic intruders, and advanced persistent threats.

Best of all, this class is designed

View the Original article

Practice of Network Security Monitoring Table of Contents

Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monitoring. The TOC has only solidified in the last day or so. I delayed responding until I completed all of the text, which I did this weekend.

You can preorder the book through No Starch. Please consider using the discount code NSM101 to save 30%.

I’m still on track to publish by July 22, 2013, in time to teach two sessions of my new course, Network Security Monitoring 101, in Las Vegas. I’ll be using the new book’s themes for inspiration but will likely have to rebuild all the labs.

I expect the book to approach the 350 page mark, exceeding my initial estimates for 256 pages and 7 chapters. Here’s the latest Table of Contents.

Part I, “Getting Started,” introduces NSM and how to think about sensor placement.Chapter 1, “NSM Rationale,” explains why NSM matters, to help you gain the support needed to deploy NSM in your environment.Chapter 2, “Collecting Network Traffic: Access, Storage, and Management,” addresses the challenges and solutions surrounding physical access to network traffic.

Part II, “Security Onion Deployment,” focuses on installing SO on hardware, and configuring SO effectively.Chapter 3, “Stand-alone Deployment,” introduces SO, and explains how to install the software on spare hardware to gain initial NSM capability at low or no cost.Chapter 4, “Distributed Deployment,” extends Chapter 3 to describe how to install a dispersed SO system.Chapter 5, “SO Housekeeping,” discusses maintenance activities for keeping your SO installation running smoothly.

Part III, “Tools,” describes key software shipped with SO, and how to use these applications.Chapter 6, “Command Line Packet Analysis Tools,” explains the key features of Tcpdump, Tshark, Dumpcap, and Argus in SO.Chapter 7, “Graphical Packet Analysis Tools,” adds GUI-based software to the mix, describing Wireshark, Xplico, and NetworkMiner.Chapter 8, “Consoles,” shows how NSM suites like Sguil, Squert, Snorby, and ELSA enable detection and response workflows.

Part IV, “NSM in Action,” discusses how to use NSM processes and data to detect and respond to intrusions. Chapter 9, “Collection, Analysis, Escalation, and Resolution,” shares my experience building and leading a global Computer Incident Response Team (CIRT).Chapter 10, “Server-Side Compromise,” is the first NSM case study, wherein you’ll learn how to apply NSM principles to identify and validate the compromise of an Internet-facing application. Chapter 11, “Client-Side Compromise,” is the second NSM case study, offering an example of a user being victimized by a client-side attack. Chapter 12, “Extending SO,” covers tools and techniques to expand SO’s capabilities. Chapter 13, “Proxies and Checksums,” concludes the main text by addressing two challenges to conducting NSM.

The Conclusion offers a few thoughts on the future of NSM, especially with respect to cloud environments and workflows. Appendix A, “Security Onion Scripts and Configuration,” includes information from SO developer Doug Burks on core SO configuration files and control scripts.

I hope you enjoy the book and consider the new class! If you have comments or questions, please post them here on via

View the Original article

How to Detect and Prevent a WordPress Spam Injection Attack

Last month my WordPress blog was the victim of a spam injection attack. I am the art director for a highly rated graphic design and website design company. I have years of experience in website design, WordPress Blog Design and I am security minded in my approach to web development – I was still a victim of clever hacking. It can happen to anyone and it is happening at an increasingly alarming rate. The worst part about this experience was that not only my WordPress blog was attacked – my entire corporate website was removed from Google SERPS. We were ranked in the Google Top 10 for several coveted spots such as; graphic design company, packaging design companies, brand identity company, and many more. Our site was completely out of Google search results for two weeks in which time we lost countless leads. This experience absolutely sickened me! It also created way too many hours of work dedicated to repairing the hackers damage and recovering our website’s Google Rankings. During my research into fixing the spam injection hackers damage I discovered that this is a widespread problem with WordPress blogs. It’s happening to thousands of people and it is not limited to people using older versions of WordPress.

Recovering from a WordPress Spam Injection attack is not fun, but you can regain your Google Search Results after being hacked by a spam injection attack. If you’ve been compromised, hopefully you have your website and WordPress blog backed up. It can be a pretty tedious process to go through every file and folder on your server locating and deleting spam files. I recommend backing up your WordPress posts and completely removing all files and databases from your server. Then do a complete fresh upload of your website and a complete reinstall of WordPress.

If you have already been removed from Google Search Results then you will want to notify Google immediately of what has happened. The best policy with Google is to be specific in your explanations. You will need to make sure that you have removed all bad files from your server and then contact Google again explaining what actions you have taken to resolve the situation and submit your “request for reconsideration”. In most cases where a valid site has been hacked Google will restore their sites rankings within two weeks. However, don’t expect any notifications from Google on their progress of reevaluating your website or WordPress blog. I am writing this article in hopes that it will help anyone from having to go through that processs.

What should you look for if you suspect a WordPress Spam Injection Attack?

The first thing you should look for is a list of spammy keywords showing up in your list of keywords located in your Google Webmasters Tools. If you aren’t using Google Webmaster Tools then you should definitely look into this. When your site starts showing up in weird looking search results, which can also be seen in Google Webmaster Tools under search results for your site, you need to act fast because at this point Google will act fast to remove your site from SERPS in order to protect others who may be at risk from visiting your website.

The key to detection is awareness. Be vigilant in monitoring your website and your website’s stats. Spam injections are a clever, effective form of hacking and show no outward signs of infection. However, If you do a Google Site Search for spammy key words like; {site:yoursite.com viagra} you will be able to see if your site is referencing spam keywords. You will not be able to see spam showing up on your site. In order to physically see spam tags in your site you must go to the “cached” version of your web pages and view them in “text mode”. If you’ve been infected you will now be able to see spam keywords, usually appearing as a footer.

What does a Spam Injection Do?

Spam Injection software hides spam keyword links in code that is usually encoded with a PHP function that effectively scrambles html to be decoded once safely embedded on your server, database, etc. You won’t see these files decoded, but the Google Bot and other bots will when crawling your site! Once the Bots access the code the spam injection software has done it’s work, effectively stealing your search index to improve their own pagerank.

These spam injection hacks are very hard to detect software injections inserted into your site, usually on a database level, via templates or plugins. This is part of the reason WordPress is such a target for these attacks. Plugins are what make WordPress so dynamic and cool, but they are an open doorway for spam injection software. For obvious reasons we should all focus our attention on prevention so that you don’t have to deal with detection.

What can I do to prevent a WordPress Spam Injection Attack?

I’ll start with the simplest things you can do to protect your WordPress blog or site from spam attacks first. . .

First: Update WordPress

Updating WordPress is the easiest thing to do, so why not do it? I usually wait a short period of time after a new release to make sure the bug fixes have been worked out. Please be aware that simply updating WordPress is NOT enough!

Second: Pick a good password

Pick a good password. Don’t use the same password on every site. If you’re really diligent you can also change your password regularly.

Third: Change the admin user name

The default WordPress user name is “admin”. This is just a guess, but I suspect that the majority of people never change this. Don’t give any information away. Hackers are clever, but like burglars they would rather move on to the easy score. You can change your admin by creating a new user and then deleting the admin user. You’ll be given the option to migrate posts to another user.

Fourth: Hide your WordPress Version Number

David Kierznowski of blogsecurity.net lately released a simple plugin to hide your wordpress installation version number.

The no version plugin is a simple plugin that will replace the version number with blanks, so anyone doing a view “page source” from the browser on your site will not be able to see your wordpress version.

Fifth: Protect your plugins

Plugins are the easy gateway way for hackers to access your blog. All WordPress files begin with (wp-) by default so, hackers can quickly discover which plugins you’re using by going to /wp-content/plugins/, if you haven’t renamed your database files. A quick remedy to block a blank index.html file in the wp-content/plugins/ folder.

More Complex Procedures:

First: Protecting your WP-Config file.

This file contains your database name, database username and database password. Obviously, you don’t want anyone to have access to something this valuable. If you don’t feel comfortable making changes to your config you may want to contact your hosting company for help otherwise you can add the following code to your .htaccess file:

PHP:

1. # protect wpconfig.php

2. {files wp-config.php}

3. order allow,deny

4. deny from all

5. {/files}

Second: Change your database names

Note: do not attempt this unless you are comfortable with PHPMyAdmin and making changes to MySQL. If you are not comfortable with this you should hire a professional to assist you.

Begin by backing up your database!

Many people have problems with the database table name prefix changing functionality of WP Security Scan. You can manually change your database names following the instructions below.

1. BACKUP your WordPress database to a sql file – you can do this in “phpmyadmin”.

2. You should Deactivate your plugins as a precaution before proceeding. You can reactivate them after you have finished.

3. Make a copy of the .sql file you created, then you can open the .sql file and use a text editor to find and replace all “wp_” prefix to “rename_”.

4. Now, drop all tables of your WordPress databases, but DO NOT drop the database.

5. import the (.sql) file that you have just edited into your wordpress databases.

6. Finish by editing your wp-config.php file and change the $table_prefix = ‘wp_’; to $table_prefix = ‘something_’;

I hope that this article will help someone avoid the fallout associated with a spam injection hack. I love the functionality of WordPress, but unfortunately, this experience has left me so cautious that my company no longer uses a WordPress Blog along with our corporate website. Maybe someday.