Whether you have a Mac or a Windows PC, there are some basic steps you can take to reduce the risk and personal impact of a malware infection.  This advise is especially impactful when you have just purchased a new Mac or Windows system. There are several steps that you can take to protect your new investment and more importantly your information. In the following detail, I mainly focus on Windows as that’s the main technology that my non-IT type friends ask about.

Basically what you should be doing is:

1. Ensure that a hardware firewall/router is in between the internet and the PC (I’ll just call it a firewall from now on)
   • Use a recognized brand name like Linksys, avoid the no-name generics as they often have bad defaults and don’t implement the stateful-packet-inspection that you want to filter out most of the cruft on the Internet from reaching your PC
2. Ensure all default passwords on the firewall and PC have been changed
   • When you initially turn on the power to your PC and to your firewall, do NOT have them connected to your cable or DSL modem initially.  Do the setup of your firewall and PC first in order to ensure malware doesn’t have a chance to get at your shiny new PC before you’ve turned on the needed protection
   • Point a browser to your firewall (likely 192.168.0.1 or 192.168.1.1) and change the default administrator password.  This is very important, as some malware will seek out your firewall and try to use the manufacturer default password to change things like your DNS server settings – inserting the bad guys in between you and the rest of the Internet (eg. forcing your traffic to them first before it goes to your bank)
3. All normal accounts used for day-to-day business on the computer should NOT have administrator privilege (see my post on running without admin privileges)
   • On Windows XP, Vista (and I think 7), the default “user” that accesses the PC has full administrative privilege, that enables software  installation and configuration changes.  This is very dangerous, as malware that you come in contact with from infected emails or websites use this privilege to install their spyware, keyloggers, backdoors and other nasty stuff on your PC – without your explicit permission
   • Set a password for your Administrator account
   • Create a new user right away, before you setup your email, music, photos, documents, etc; ensure that new user is NOT a Computer Administrator
   • Always login with this non-Administrator username for your day-to-day use; only use the Computer Administrator username for software installation and configuration changes.
4. Never surf the Internet with an account that has administrative privilege
5. If this is a common PC for a business, ensure employees accounts are individually assigned (if practical). Ensure those employee accounts are not administrators (unless there is a need and a high degree of trust)
6. Run a good commercial anti-virus program with annual software support (or a subscription)
   • There are some good free AV packages (AVG, Clamwin, Avast) .. Google them for the links
   • Sophos makes a good Mac AV package .. yes, Macs are vulnerable to malware as well; it’s just not as prevalent
7. Finally ensure regular (daily) backups are being run to protect your business, financial, customer information from loss if there is a problem with the PC
8. For setup of your wireless access point (if you have one .. sometimes it’s built into the router/firewall)
   • Chose wireless encryption of at least WPA or WPA2 .. never use WEP or no encryption
   • There is no significant increase in security by obscuring your network name (SSID)
   • Don’t use any personally identifiable information in your network name

If you are unsure of how to do any of these steps, get one of your computer knowledgeable friends to help you.  Of course if you are purchasing a new system right now, I’d strongly recommend you check out Apple’s Mac products.  They’re not immune to malware, but the architecture and core are by design much less vulnerable to the types of malware that plague Windows.

Have you ever had a daunting task that just seemed like a nightmare to get your head around how to organize it? If you’re like me, you try to find some patterns in all the individual elements that make up whatever the topic is you’re trying to get a handle on. The patterns may not come easily, and even if they do, it’s usually a pain to try and re-categorize an element as you see fit (ever tried to create lists and categorize things in Excel??).

I came across a tool that one of my clients uses called FreeMind – it’s a Java app that allows you to enter a number of text elements and reorganize them in a hierarchical fashion.

FreeMind example

Ok, one can do that with an unstructured word processor document or a spreadsheet, but FreeMind allows you to dump all these random ideas onto the page then drag and drop into categories or tags that make sense as you’re rearranging the elements.

So after about an hour of dropping in ideas around areas of improvement for the IT security of one of my clients, I had over 250 elements organized into 8 high level categories and about 18 subcategories. It was grouped well enough to lead discussions on what the current priorities for their programmes should be. If I had attempted this in a spreadsheet (and I had) it would have taken hours and untold frustration – not to mention I probably would have missed relationships that I could see in FreeMind.

If I had attempted this in a spreadsheet (and I had) it would have taken hours and untold frustration

FreeMind icons

You can add icons to each element to make labeling and categorization easier. Best to check out the FreeMind home page as it is a feature rich tool. From the project Wiki, typical uses include:

• Keeping track of projects, including subtasks, state of subtasks and time recording
• Project workplace, including links to necessary files, executables, source of information and of course information
• Workplace for internet research using Google and other sources
• Keeping a collection of small or middle sized notes with links on some area which expands as needed. Such a collection of notes is sometimes called knowledge base.
• Essay writing and brainstorming, using colors to show which essays are open, completed, not yet started etc, using size of nodes to indicate size of essays. I don’t have one map for one essay, I have one map for all essays. I move parts of some essays to other when it seems appropriate.
• Keeping a small database of something with structure that is either very dynamic or not known in advance. The main disadvantage of such approach when compared to traditional database applications are poor query possibilities, but I use it that way anyway – contacts, recipes, medical records etc. You learn about the structure from the additional data items you enter. For example, different medical records use different structure and you do not have to analyze all the possible structures before you enter the first medical record.
• Commented internet favorites or bookmarks, with colors and fonts having the meaning you want

What a great tool .. I’m sure I’ll find more uses for it!

Thinking of the challenges associated with creating electronic healthcare records for all healthcare users in Alberta. Typical government projects don’t have the best track record for maintaining proper security architecture, much less implementation. Starting to dig into this for my next paper, and I’m somewhat underwhelmed with what I see. Do we have a choice to opt out? Is there any way to ensure our health records don’t get compromised and exposed publicly? I guess I’ll be searching for some answers.

Recently I found myself in the unhappy position of needing to sift through slightly more than a billion Checkpoint Firewall-1 log lines, looking for specific patterns of access. The problem was that many of the exported fwm log files had differing column positions and there had been many ruleset changes over the course of 11 months worth of log data. Many of the excellent FW1 log summarization tools (such as Peter Sundstrom’s fwlogsum) didn’t handle the hundreds of files and differing column positions.

The final scripted solution was processing over 11,000 lines/second .. and still took over 23 hours for the first run.

Log file exports via fwm logexport can have variable column positioning, except for record ID number “num”, which is *always* column number one.  I see three viable alternatives to the changing column position in the ASCII log files exported via fwm – so we can automate the log processing:

1. Parse the header line (line #1) of every log file and dynamically map (rearrange) the columns to a pre-determined standard in memory before further processing (painful, expensive)
2. Tell Checkpoint fwm to export in a fixed column ordering
   create
   logexport.ini
   and place in
   $FWDIR/conf directory
   eg. fwmgmtsrv:
   C:\WINDOWS\FW1\R65\FW1\conf
   logexport.ini:
   [Fields_Info]
included_fields = num,date,time,orig,origin_id,type,action,alert,i/f_name,
i/f_dir,product,rule,src,dst,proto,service,s_port,xlatesrc,xlatedst,
nat_rulenum,nat_addtnl_rulenum,xlatesport,xlatedport,user,
partner,community,session_id,ipv6_src,ipv6_dst,
srckeyid,dstkeyid,CookieI,CookieR,msgid,elapsed,
bytes,packets,start_time,snid,ua_snid,d_name,id_src,ua_operation,
sso_type_desc,app_name,auth_domain,uname4domain,wa_headers,
result_desc,r_dest,comment,url,redirect_url,enc_desc,e2e_enc_desc,
auth_result,attack,log_sys_message,
rule_uid,rule_name,service_id,resource,reason,cat_server,
dstname,SOAP Method,category,ICMP,message_info,
TCP flags,rpc_prog,Total logs,
Suppressed logs,DCE-RPC Interface UUID,Packet info,
message,ip_id,ip_len,ip_offset,fragments_dropped,during_sec
3. Use OPSEC LEA tools to extract event log records instead of export via fwm logexport

Once the ASCII log files are available for processing, my fw1logsearch.pl script can be used to find complex patterns of interest.  Any matching records found by fw1logsearch will be output with an initial FW1 header line so that fw1logsearch can be used iteratively, to build very complex search criteria.  fw1logsearch can also write out a discard file allowing completely negative logic searches resulting in 100% of the input data separated into a match file and a didn’t match file.  Some examples of how I’ve used it are shown here:

gunzip -c fwlogs/2009*gz | \
fw1logsearch.pl --allinclude \
-S '10\.1\.1[1359]\.|10\.2\.1[01]\.|192\.168\.2[245]\.' \
-d '10\.1\.1[1359]\.|10\.2\.1[01]\.|192\.168\.2[245]\.' \
-p '^1310$|^1411$|^1812$|^455' | \
fw1logsearch.pl -S '192\.168\.22\.14$|10\.2\.11\.12$' |\
fw1logsearch.pl --allexclude \
-S '^192\.168\.24\.12$' -P '^1310$' --rejectfile 192-168-24-12-port-1310.txt

Line by line:
1. Unzip the compressed ASCII log files, feed them to the first instance of fw1logsearch.pl
2. First fw1logsearch – all conditions must be true for any events to match
Source address must NOT be in any of the following regex ranges:
10.1.11.* 10.1.13.* 10.1.15.* 10.1.19.*
10.2.10.* 10.2.11.*
192.168.22.* 192.168.24.* 192.168.25.*
Destination address must be in one of the same following regex ranges.
Service (destination port) must be one of:
Exactly port: 1310, 1411, 1812, or any port starting with 455
No protocol is specified, so it will match either TCP or UDP

fw1logsearch.pl will output any matching events to stdout, including a FW1 log header line, so the next instance of fw1logsearch.pl continues filtering the result set.

3. The second fw1logsearch.pl specifies Source Address must not be any of the following
192.168.22.14

10.2.11.12

4. The last fw1logsearch.pl excludes port 1310 from 192.168.24.12, and puts all those records into a separate reject file, while writing the other records to stdout.

This script has been used to process over 4 billion records within the project I wrote it for – and precisely found all the use of particular business cases I needed to modify.  The result was zero outages and no unintended business interruption.

Basic syntax/help file:

Usage:  fw1logsearch.pl
[-a|--incaction|-A|--excaction <action regex>]
[-p|--incservice|-P|--excservice <dst port regex>]
[-b|--incs_port|-B|--excs_port <src port regex>]
[-s|--incsrc|-S|--excsrc <src regex>]
[-d|--incdst|-D|--excdst <dst regex>]
[-o|--incorig|-O|--excorig <fw regex>]
[-r|--incrule|-R|--excrule <rule-number regex>]
[-t|--incproto|-T|--excproto <proto regex>]

[--dnscache <dns-cache-file>]
[--resolveip]
[--allinclude]
[--allexclude]
[--rejectfile <file>]
[--debug <level>]

fw1logsearch.pl will search a fwm logexport text file for regex patterns specified for supported columns (such as service, src, dst, rule, action, proto and orig).

Include and exclude regex matches may be specified on the same line, although they both will include (print) a line or exclude (reject) a line based on single matches.  Allinclude or Allexclude must be specified to force a match
only on all specified column regex patterns.

Regex patterns can be enclosed with single quotes to include characters that are special to the shell, such as the ‘or’ (|) operator.

Header will be output only if there are any matching lines.

Example invocations:
$ cat 2008-07-07*txt | \
fw1logsearch.pl \
-p ’53|domain’ \
-d ’192.168.1.2|host1|10.10.1.2|host2′ \
-o ’192.168.2.3|10.10.2.4|10.10.4.5′ \
-S ’64.65.66.67|32.33.34.35|10.10.*|192.168.*’ \
–resolveip
Will require destination port (service) to be 53, destination IP to be any of 192.168.1.2, host1, 10.10.1.2, or host2  the reporting firewall (origin) to be any of 192.168.2.3, 10.10.2.4, or 10.10.4.5  and the source IP must not be
any of 64.65.66.67, 32.33.34.35, 10.10.*, or 192.168.*  Any lines that match this criteria, will display and the orig, src, and dst columns will use the default DNS cache file (dynamically built/managed) to perform name resolution, replacing the IP addresses where possible.

Include regex patterns:
-a  –incaction    Rule action (accept, deny)
-b  –incs_port    Source port (s_port)
-p  –incservice   Destination port (service)
-s  –incsrc       Source IP|hostname
-d  –incdst       Destination IP|hostname
-o  –incorig      Reporting FW IP|hostname
-r  –incrule      Rule number that triggered entry
-t  –incproto     Protocol of connection

Exclude regex patterns:
-A  –excaction    Rule action (accept, deny)
-B  –excs_port    Source port (s_port)
-P  –excservice   Destination port (service)
-S  –excsrc       Source IP|hostname
-D  –excdst       Destination IP|hostname
-O  –excorig      Reporting FW IP|hostname
-R  –excrule      Rule number that triggered entry
-T  –excproto     Protocol of connection

Other options:
–debug {level} Turn on debugging
–dnscache      Specify location of DNS cache file to be used with
the Resolve IPs option
–resolveip     Resolve IPs for orig, src, and dst columns AFTER filtering
–rejectfile    Write out all rejected lines to a specified file

Download fw1logsearch.pl

So while struggling to write my latest paper on mobile communication technology and the associated vulnerabilities found at the various layers of the network stack, I found this odd little graphic and thought: gee, this really sums up how I feel right now…

Of course it doesn’t make writing about 3G network implementation mistakes (Man-in-the-middle attacks on UMTS) any easier, but it did waste some time.

2009/06/05: Update: Ok, so the paper has been submitted. Now I’m a bit humbled, as I thought 3G mobile network connections were somehow sacred .. and somewhat ‘safe’ from hacking efforts. Alas, what a foolish concept. 3G (or UMTS) is no more immune to hacking than any other network technology that we currently use. UMTS is apparently vulnerable to (trivial?) man-in-the-middle attacks due to the carrier implementation of our shiny new 3G networks. Of course pure UMTS (3G) data networks would be best, however there is this entire encompassing 2G GSM network that includes base stations and controller infrastructure. Our friends K. Kotapati and associates outline some serious issues in A Taxonomy of Cyber Attacks on 3G Networks.  Unfortunately telecom carriers are not going to replace all the 2G infrastructure until absolutely necessary – this opens the vulnerability of 3G equipment (like our new iPhone 3G’s) as they roam onto 2G GSM networks until it has been replaced by all 3G UMTS (or various CDMA varients). Basically 2G base stations are not expected to protect the integrity of signaling messages and are subject to spoofing and manipulation by malicious parties. So someone can impersonate a 2G base station and force your shiny new 3G handset to operate in clear-text .. enabling subscriber information theft and eavesdropping on any non-SSL protected transactions. Hmm. Holy cr@p. Considering a friend of mine has demonstrated this in Calgary in January 2009, this is a bit too close to home for comfort. So if your phone indicates it’s on the EDGE network (E) vs (3G) .. I’d think about turning the power off or at least enclosing your precious iPhone (or Storm) in tin foil .. until you can get back on a 3G network segment.
Wow. So much for the new mcommerce, eh?

Calgary -> Las Vegas    19:30 2,109 km

Map link:

Full trip:

http://www.google.com/maps?f=d&source=s_d&saddr=calgary&daddr=bozeman+to:west+yellowstone+to:provo+to:bryce+canyon+to:mesquite,+nv+to:Las+Vegas,+NV+to:Coronado,+CA+to:huntington+beach+,+ca+to:santa+barbara,+ca+to:san+francisco,+ca+to:100+Pythian+Road,+Santa+Rosa,+CA+to:san+francisco,+ca+to:8501+Highway+128,+Philo,+CA+95466+(Scharffenbergers+Cellars)+to:san+francisco,+ca+to:sacramento,+ca+to:san+francisco,+ca+to:redding,+ca+to:eugene,+or+to:portland,+or+to:spokane,+wa+to:invermere,+bc+to:calgary,+ab&geocode=%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3BFX-LVQIdhJWi-CG_hz5Vvafk6Q%3B%3B%3B%3B%3B%3B%3B%3B%3B&hl=en&mra=ls&sll=44.260937,-117.905273&sspn=8.591496,20.126953&ie=UTF8&ll=43.421009,-116.015625&spn=17.419681,40.253906&z=5

Full trip (yellowstone):

http://www.google.com/maps?f=d&source=s_d&saddr=calgary&daddr=bozeman+to:Old+Faithful+Geyser,+Teton,+Wyoming+82190+to:provo+to:bryce+canyon+to:mesquite,+nv+to:Las+Vegas,+NV+to:Coronado,+CA+to:huntington+beach+,+ca+to:santa+barbara,+ca+to:san+francisco,+ca+to:100+Pythian+Road,+Santa+Rosa,+CA+to:san+francisco,+ca+to:8501+Highway+128,+Philo,+CA+95466+(Scharffenbergers+Cellars)+to:san+francisco,+ca+to:sacramento,+ca+to:san+francisco,+ca+to:redding,+ca+to:eugene,+or+to:portland,+or+to:spokane,+wa+to:invermere,+bc+to:calgary,+ab&geocode=%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3BFX-LVQIdhJWi-CG_hz5Vvafk6Q%3B%3B%3B%3B%3B%3B%3B%3B%3B&hl=en&mra=pe&mrcr=1,2&sll=41.930422,-117.193999&sspn=35.580777,80.507812&ie=UTF8&ll=44.570904,-110.610352&spn=2.136622,5.031738&z=8

Down:

http://www.google.com/maps?f=d&source=s_d&saddr=calgary&daddr=bozeman+to:Old+Faithful+Geyser,+Teton,+Wyoming+82190+to:provo+to:bryce+canyon+to:mesquite,+nv+to:Las+Vegas,+NV+to:Coronado,+CA&geocode=%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3BFX-LVQIdhJWi-CG_hz5Vvafk6Q%3B%3B%3B%3B%3B%3B%3B%3B%3B&hl=en&mra=pe&mrcr=1,2&sll=41.930422,-117.193999&sspn=35.580777,80.507812&ie=UTF8&ll=44.570904,-110.610352&spn=2.136622,5.031738&z=8

Back:

http://www.google.com/maps?f=d&source=s_d&saddr=Coronado&daddr=huntington+beach+,+ca+to:santa+barbara,+ca+to:san+francisco,+ca+to:100+Pythian+Road,+Santa+Rosa,+CA+to:san+francisco,+ca+to:8501+Highway+128,+Philo,+CA+95466+(Scharffenbergers+Cellars)+to:san+francisco,+ca+to:sacramento,+ca+to:san+francisco,+ca+to:redding,+ca+to:eugene,+or+to:portland,+or+to:spokane,+wa+to:invermere,+bc+to:calgary,+ab&geocode=%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3B%3BFX-LVQIdhJWi-CG_hz5Vvafk6Q%3B%3B%3B%3B%3B%3B%3B%3B%3B&hl=en&mra=pe&mrcr=1,2&sll=41.930422,-117.193999&sspn=35.580777,80.507812&ie=UTF8&ll=44.570904,-110.610352&spn=2.136622,5.031738&z=8

Destinations

============

Yellowstone National Park, MT

- old faithful geyser

Bryce Canyon, UT

- rim view

Las Vegas

- Caesars – day by the pool

- Mesa Grill

- smaller outlet shops

San Diego, CA

- Suzie  Coronado, CA

- seaworld

- old town san diego

Capitola, CA

- http://www.shadowbrook-capitola.com/ 

- http://www.gaylesbakery.com/ 

San Francisco

- boutique hotel?

- St. Francis winery  100 Pythian Road, Santa Rosa, CA

- Sherfinbeger

Sacramento

- Andy

Portland, OR

- eatery:  http://foodandink.blogspot.com/2007/10/garden-state.html

One can now inexpensively build a fault tolerant firewall cluster that removes any single point of failure in the security policy enforcement points at your security zone boundaries. Synchronous firewall state table updates and an open source version of virtual router redundancy protocol (CARP) gives the ability to seamlessly insert or remove firewalls from a cluster. No more patching firewalls at 2am hoping for the best (or not patching because it’s too hard).

PDF

So setting up my shiny new iPhone 3G for IMAPS email was not entirely straight forward.  (-:  There are two complicating factors that I ran into.  For IMAP over SSL (IMAPS) connections to a mail server that is using a digital certificate that is signed by a well known certificate authority AND running on the default TCP port 993, no problems.  You may have a be a bit patient as the mail app on the iPhone accepts the certificate.  For less standard mail server implementations, read on …

I am using a server certificate that is in essence a self-signed certificate – it is signed by CAcert.org, however very few (if any) browsers and mobile devices trust or even know of CAcert.org.  In this case, you will need to be patient while the iPhone mail app finally rejects the server certificate as untrusted.  The dialogue box will acknowledge the mail server certificate is invalid and will ask if you want to continue.  Accept the continue option and eventually (took about 5 minutes for my iPhone) the iPhone will accept the ‘invalid’ certificate.

Now, if you are using a mail server that has IMAPS running on a non-standard port (anything other than TCP 993), you must first establish the connection and have the iPhone accept the certificate over port 993.  Once the mail account is setup initially, then you can go change the port to something non-standard.

Once I get a chance I’ll post some screen shots.

Running day-to-day with a Windows account that has Administrator privileges is a recipe for disaster.  Casual browsing of a website that is infected or inadvertent opening of infected attachments can result in an infection through the user’s Administrator privileges.  Something like 92% of Microsoft critical vulnerabilities announced in 2008 could have been mitigated by operating day-to-day as a normal user.  Splitting your accounts into a normal account and admin account is a good idea, but it can lead to some headaches when the normal user needs to run temporarily as Administrator.

Fortunately there are some work arounds that can be used to temporarily elevate the user’s privileges to Administrator.  Most of these involve the RUNAS command:

File explorer
If you’re running IE7 under WinXP, in order to run Windows Explorer with the runas command, it must be run as a separate process. A quick way to do this, without having to change your Folder Options settings, would be to run an instance of Explorer with the undocumented parameter /separate, like this:

runas /user:domain\username "explorer /separate"

Command Line Prompt
You can add a shortcut on the task bar with the following syntax to get an Administrator cmd prompt:

%windir%\system32\runas.exe /user:yourdomain\a-someuser cmd

yourdomain is the name of your AD domain if you have one, if not, leave it out.  a-someuser is a suggested naming convention for the Administrator account associated with the user named someuser.

Well, been working way too hard, so here’s a bit of a humour break.  The graph below shows the results of a user poll “What super-power do you wish you had”…

Thanks to Adam B for the tip!