Search This Blog

Friday, April 12, 2013

firewall-wizards Digest, Vol 64, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
(Dave Piscitello)
2. Re: Phishing (Mathew Want)
3. Re: firewall-wizards Digest, Vol 64, Issue 5 (John Michealson)
4. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
(Kyle Creyts)


----------------------------------------------------------------------

Message: 1
Date: Fri, 12 Apr 2013 10:33:15 +0200
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<CADLVL0LDnwygEHAQ6eqvUzH8VmSM3B7O07_MBbskBOTwLLyhpA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Stephen,

I think your premise - that we are comfortable with this architecture
- is wrong, at least for this choir.

Your analog also only looks at one dimension of the problem space.

- the ship hull is compromised
- the pumps are working because someone thought to enable this
automation, and he's now serving on another ship
- much of the crew are not competent to deal with the crisis, and
don't have the time to fully assess the damage because they are
distracted by requests to solve far less critical issues so that other
of the ship's services remain in operation for the passengers
- the passengers pay no attention to the warnings, alarms, and have no
clue as to how to abandon ship

I suspect that few on this list are comfortable with this scene. The
pump is there for many because it's keeping the ship afloat while we
patch and re-think how to prevent future hull breaches. Part of
re-thinking is coming up with better monitoring (of hull integrity)
and AWS; part is raising competencies among crew, and part is raising
security awareness among passengers. All of these require the
captain's approval and the captain has to empower the officers.

On Thu, Apr 11, 2013 at 8:46 PM, Stephen P. Berry <spb@meshuggeneh.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> John Michealson writes:
>
>>Check Point's gateway based AV went cloud based last fall. It has over 6M
>>signatures. They also have AntiBot, which has hundreds of millions of IP
>>and hosts classified. They are reclassifying 50k sites/hosts a day with
>>their ThreatCloud, and ThreatEmulation is in EA. Their Application Control
>>has 4900 apps defined locally and 300K in the cloud. Combined with
>>education these are very effective tools.
>
> Perhaps I just have a bad attitude, but I'm imagining a ship with a
> great jagged hole below the water line and a very high output bilge
> pump that's almost but not quite keeping up with the flooding. The ship
> doesn't sink -immediately-, and hey that is a pretty impressive pump. But
> I'm not sure that I'd say that the pump is a very effective tool, because
> the task I'm actually concerned with isn't---or, I would argue shouldn't
> be---pumping water out, which the pump does quite well, but rather with
> keeping the ship seaworthy by keeping the water from getting in in the
> first place, and the pump doesn't do that at all.
>
> I'm not trying to badmouth Checkpoint here. I'm sure their product is
> wonderful for what it is. But I find it distressing how comfortable
> we've become with living with network architectures that are perpetually
> in a state of failure. That are designed failed. You speak in glowing words
> of the monumental efforts expended by Checkpoint. But while I can admire
> all that hard work, when I see as system that -needs- this sort of heroic
> effort -on an ongoing basis- just to continue functioning, I see a system
> that is fundamentally broken.
>
>
>
> - -spb
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEVAwUBUWcEsR+T8Ptkg9h9AQI4swf/SAXPVaI8DXdOZ7OaUpcBUe6t2Y6ZQCGX
> 9VB0F2/3pyTWWdcVNUcDMVAiasgF1Pc/uHEhGFbFJNB13ubiUDsvQmjwJMkhN5fk
> GRT1eJLQrwSjAhzpwnQxTnQQQxwGBlaCb9Lo3db/PMZcxwFaYjzWncthZ6tX9YW5
> IOD1Th0fvOEEJvtl+imqYanWUC2HXFJPP+F2f8eswOv2EI80C38EnTd/+Bn6vRcW
> PkCKJO3RCwRjdDACIlS/bx4aMrt36M/bbGgF+mRtn3NNNHqeGkMQV490b8pvRlxM
> DfeH/RAdUdOMQ7PVRCJAEKreI268ywabltzOya5MPBhY3RjRgJeBJQ==
> =JaqR
> -----END PGP SIGNATURE-----
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 2
Date: Fri, 12 Apr 2013 16:49:03 +1000
From: Mathew Want <imortl1@gmail.com>
Subject: Re: [fw-wiz] Phishing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAKFczxYEtu9h-OX=hVb+yaV-kxS0iHnXYR+5q0B+grysBsCx7Q@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Last time they sent out a warning email here along the lines of:

<warning_email>
We never ask for your username and password. If you get an email that looks
like:

"There is an issue with your account. Please reply with your username and
password and we will rectify it"

You should never reply to these messages with your details/
</warning_email>

50 people replied with their usernames and passwords. As much as user
education should be the answer, you cant put brains in pumpkins and you can
patch stoopid.

*sigh*. Looks like the only real answer is to have your systems set up in
such a way that when there is a compromise from this type of thing, they
cant do any damage or it is at least restricted. This is starting to sound
like a song we have sung before.....

Have a pleasant weekend all!

M@
--
"Some things are eternal by nature,
others by consequence"

On 11 April 2013 19:38, Paul D. Robertson <paul@compuwar.net> wrote:

> I've had friends tell me that they've never failed using fake LinkedIn
> accounts when performing pen tests- I'm not sure how valuable training is,
> but I'm reasonably confident it and Facebook are the top two common vectors.
>
> Paul
> --
> President and Chairman, FluidIT Group
> Moderator, Firewall-Wizards
> http://pauldrobertson.net
> http://pauldrobertson.com
> @compuwar
>
> On Apr 10, 2013, at 18:56, Dotzero <dotzero@gmail.com> wrote:
>
> > Training is useful as long as it is appropriate training that the
> > enduser can reasonably implement.
> >
> > As far as blocking Facebook/LinkedIn, I don't believe it is a
> > particularly useful approach. I prefer to educate endusers on ways to
> > mitigate risks.
> >
> > An example of this is to never click on purported LinkedIn emails.
> > Delete them and log into the site to check the message. Another
> > example is to never accept an invitation to link from someone you
> > don't know unless someone you know vouches for them. Taking these
> > sorts of steps significantly reduces potential risks.
> >
> > I do recommend applying SPF/DKIM/DMARC validation to inbound mail
> > streams. ISPs and mailbox providers such as Gmail, Yahoo! and AOL are
> > ahead of enterprises in doing this. Inbound email authentication
> > validation adds a layer of protection to protect your users and
> > organization. If you have a brand/domain at risk it is useful to
> > implement on the sending side to help protect your customers, partners
> > and vendors.
> >
> > Reporting malicious URLs and redirectors that arrive in your inbox(s)
> > or traps to APWG is useful as is reporting them to the abuse contact
> > in whois or to the upstream provider.
> >
> > A good practice is to also implement BCP38 outbound filtering. It
> > protects your reputation and ultimately helps everyone else from abuse
> > eminating from your network.
> >
> > Just a few thoughts,
> >
> > Mike
> >
> > On Wed, Apr 10, 2013 at 5:52 PM, Paul D. Robertson <paul@compuwar.net>
> wrote:
> >> Outside of constant training and blocking Facebook/LinkedIn does anyone
> have any good pointers or tools for phishing/spear phishing threats?
> >>
> >> Paul
> >> --
> >> President and Chairman, FluidIT Group
> >> Moderator, Firewall-Wizards
> >> http://pauldrobertson.net
> >> http://pauldrobertson.com
> >> @compuwar
> >> _______________________________________________
> >> firewall-wizards mailing list
> >> firewall-wizards@listserv.icsalabs.com
> >> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130412/c53b2576/attachment-0001.html>

------------------------------

Message: 3
Date: Fri, 12 Apr 2013 17:36:39 -0500
From: John Michealson <micheajp@gmail.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 5
To: "firewall-wizards@listserv.icsalabs.com"
<firewall-wizards@listserv.icsalabs.com>
Cc: "firewall-wizards@listserv.icsalabs.com"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CBF50DA9-6D7E-4D13-8A40-22FAF715B1F1@gmail.com>
Content-Type: text/plain; charset=us-ascii

Well, the op was in reference to tools.... hence my post. I respect your opinion (and agree to an extent) but the state of things is very much like capitalism - a grand ideal but inevitably doomed once human nature (greed) is added. The only true fix is based upon the humans using the systems (all of them) understanding they cannot simply click on anything they would like to. This isn't feasible. Education is a start but not the be all. Alternatively, blocking all non-vital corporate communication is also not feasible.


On Apr 12, 2013, at 11:00 AM, firewall-wizards-request@listserv.icsalabs.com wrote:

> Send firewall-wizards mailing list submissions to
> firewall-wizards@listserv.icsalabs.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> or, via email, send a message with subject or body 'help' to
> firewall-wizards-request@listserv.icsalabs.com
>
> You can reach the person managing the list at
> firewall-wizards-owner@listserv.icsalabs.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of firewall-wizards digest..."
>
>
> Today's Topics:
>
> 1. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
> (Stephen P. Berry)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Apr 2013 11:46:09 -0700
> From: "Stephen P. Berry" <spb@meshuggeneh.net>
> Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
> phishing
> To: Firewall Wizards Security Mailing List
> <firewall-wizards@listserv.icsalabs.com>
> Message-ID: <20130411184609.DFBC123CA62@ushiro.meshuggeneh.net>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> John Michealson writes:
>
>> Check Point's gateway based AV went cloud based last fall. It has over 6M
>> signatures. They also have AntiBot, which has hundreds of millions of IP
>> and hosts classified. They are reclassifying 50k sites/hosts a day with
>> their ThreatCloud, and ThreatEmulation is in EA. Their Application Control
>> has 4900 apps defined locally and 300K in the cloud. Combined with
>> education these are very effective tools.
>
> Perhaps I just have a bad attitude, but I'm imagining a ship with a
> great jagged hole below the water line and a very high output bilge
> pump that's almost but not quite keeping up with the flooding. The ship
> doesn't sink -immediately-, and hey that is a pretty impressive pump. But
> I'm not sure that I'd say that the pump is a very effective tool, because
> the task I'm actually concerned with isn't---or, I would argue shouldn't
> be---pumping water out, which the pump does quite well, but rather with
> keeping the ship seaworthy by keeping the water from getting in in the
> first place, and the pump doesn't do that at all.
>
> I'm not trying to badmouth Checkpoint here. I'm sure their product is
> wonderful for what it is. But I find it distressing how comfortable
> we've become with living with network architectures that are perpetually
> in a state of failure. That are designed failed. You speak in glowing words
> of the monumental efforts expended by Checkpoint. But while I can admire
> all that hard work, when I see as system that -needs- this sort of heroic
> effort -on an ongoing basis- just to continue functioning, I see a system
> that is fundamentally broken.
>
>
>
> - -spb
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEVAwUBUWcEsR+T8Ptkg9h9AQI4swf/SAXPVaI8DXdOZ7OaUpcBUe6t2Y6ZQCGX
> 9VB0F2/3pyTWWdcVNUcDMVAiasgF1Pc/uHEhGFbFJNB13ubiUDsvQmjwJMkhN5fk
> GRT1eJLQrwSjAhzpwnQxTnQQQxwGBlaCb9Lo3db/PMZcxwFaYjzWncthZ6tX9YW5
> IOD1Th0fvOEEJvtl+imqYanWUC2HXFJPP+F2f8eswOv2EI80C38EnTd/+Bn6vRcW
> PkCKJO3RCwRjdDACIlS/bx4aMrt36M/bbGgF+mRtn3NNNHqeGkMQV490b8pvRlxM
> DfeH/RAdUdOMQ7PVRCJAEKreI268ywabltzOya5MPBhY3RjRgJeBJQ==
> =JaqR
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> End of firewall-wizards Digest, Vol 64, Issue 5
> ***********************************************


------------------------------

Message: 4
Date: Fri, 12 Apr 2013 18:01:46 -0700
From: Kyle Creyts <kyle.creyts@gmail.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<CA+TcGd8Prar1GyK4OmrfQ0sP-ouspMGRt46_bjOpckeu=8RTaQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

For one, the ship's hull is supposed to have "leaks" because water is
supposed to flow through the hull, this is how this particularly strange
ship operates and provides the passengers with essentials to do their
duties.

Otherwise we'd keep it out of the water. (ha ha, air gap)

However, as security folk, we're rather concerned about things that are
toxic to the passengers coming in with the water...

Unfortunately, to most of the systems we use to filter hull intake and
output, protecting the passengers and their belongings, the toxic materials
tend to look a lot like water.

Most of these filters don't even know what the toxins are today. They're
mostly throwback technology from a time before toxins, which only had to
know the difference between water, seaweed, and sand. They know what water
typically looks like, and they'll keep out the seaweed and sand, but we've
told them that we want to let water in.

Some newer systems are a bit better about filtering out the toxins, but
they frequently cost quite a bit, and most ships continue to run without
them in place.

Of course most of the passengers can't distinguish either.

In spite of people running around and announcing the dangers of toxins,
nobody really seems to know how to teach the passengers to identify them,
and most of the passengers are in too big of a hurry to care; drinking one
glass of water with toxins in it probably won't kill them. Besides, many of
them have filters on the faucets. Even if most of the faucet filters can
only catch toxins they've seen before...

Some passengers even bring toxins with them onto the ship.

As others have mentioned, this whole process is only one of many
responsibilities of those responsible for it, if they are even still with
the ship. There are only so many engineers on the boat, they usually have
to be trained to maintain this process or clean up toxins, and they have a
lot of other systems to care for.



On Fri, Apr 12, 2013 at 1:33 AM, Dave Piscitello <dave@corecom.com> wrote:

> Stephen,
>
> I think your premise - that we are comfortable with this architecture
> - is wrong, at least for this choir.
>
> Your analog also only looks at one dimension of the problem space.
>
> - the ship hull is compromised
> - the pumps are working because someone thought to enable this
> automation, and he's now serving on another ship
> - much of the crew are not competent to deal with the crisis, and
> don't have the time to fully assess the damage because they are
> distracted by requests to solve far less critical issues so that other
> of the ship's services remain in operation for the passengers
> - the passengers pay no attention to the warnings, alarms, and have no
> clue as to how to abandon ship
>
> I suspect that few on this list are comfortable with this scene. The
> pump is there for many because it's keeping the ship afloat while we
> patch and re-think how to prevent future hull breaches. Part of
> re-thinking is coming up with better monitoring (of hull integrity)
> and AWS; part is raising competencies among crew, and part is raising
> security awareness among passengers. All of these require the
> captain's approval and the captain has to empower the officers.
>
> On Thu, Apr 11, 2013 at 8:46 PM, Stephen P. Berry <spb@meshuggeneh.net>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > John Michealson writes:
> >
> >>Check Point's gateway based AV went cloud based last fall. It has over 6M
> >>signatures. They also have AntiBot, which has hundreds of millions of IP
> >>and hosts classified. They are reclassifying 50k sites/hosts a day with
> >>their ThreatCloud, and ThreatEmulation is in EA. Their Application
> Control
> >>has 4900 apps defined locally and 300K in the cloud. Combined with
> >>education these are very effective tools.
> >
> > Perhaps I just have a bad attitude, but I'm imagining a ship with a
> > great jagged hole below the water line and a very high output bilge
> > pump that's almost but not quite keeping up with the flooding. The ship
> > doesn't sink -immediately-, and hey that is a pretty impressive pump.
> But
> > I'm not sure that I'd say that the pump is a very effective tool, because
> > the task I'm actually concerned with isn't---or, I would argue shouldn't
> > be---pumping water out, which the pump does quite well, but rather with
> > keeping the ship seaworthy by keeping the water from getting in in the
> > first place, and the pump doesn't do that at all.
> >
> > I'm not trying to badmouth Checkpoint here. I'm sure their product is
> > wonderful for what it is. But I find it distressing how comfortable
> > we've become with living with network architectures that are perpetually
> > in a state of failure. That are designed failed. You speak in glowing
> words
> > of the monumental efforts expended by Checkpoint. But while I can admire
> > all that hard work, when I see as system that -needs- this sort of heroic
> > effort -on an ongoing basis- just to continue functioning, I see a system
> > that is fundamentally broken.
> >
> >
> >
> > - -spb
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> >
> > iQEVAwUBUWcEsR+T8Ptkg9h9AQI4swf/SAXPVaI8DXdOZ7OaUpcBUe6t2Y6ZQCGX
> > 9VB0F2/3pyTWWdcVNUcDMVAiasgF1Pc/uHEhGFbFJNB13ubiUDsvQmjwJMkhN5fk
> > GRT1eJLQrwSjAhzpwnQxTnQQQxwGBlaCb9Lo3db/PMZcxwFaYjzWncthZ6tX9YW5
> > IOD1Th0fvOEEJvtl+imqYanWUC2HXFJPP+F2f8eswOv2EI80C38EnTd/+Bn6vRcW
> > PkCKJO3RCwRjdDACIlS/bx4aMrt36M/bbGgF+mRtn3NNNHqeGkMQV490b8pvRlxM
> > DfeH/RAdUdOMQ7PVRCJAEKreI268ywabltzOya5MPBhY3RjRgJeBJQ==
> > =JaqR
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>



--
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130412/038792b5/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 64, Issue 6
***********************************************
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)