“Daniel” from “Microsoft” called me the other day. The number looked halfway legit so I picked up. He out and out claimed to be from Microsoft and said he was getting alerts from my computer. His voice sounded familiar–I think I’d talked to him before.
I was trying to install some software last week and I got an NSIS error. The message certainly suggests corrupt downloads, but corrupt downloads are relatively rare, and when they happen, redownloading it ought to clear that up. Getting two of these failures in a row with different programs is really a freak occurrence, so I started looking for another problem.
Last week at work, I noticed some odd events in an event log, and when I investigated them, I found they were part of a failed ransomware attack. This got me thinking about how to prevent ransomware at home.
Ransomware, if you aren’t familiar, is an attack that encrypts your data and demands a ransom, usually around $300, in bitcoins, and you get a short deadline until it destroys your files. More often than not, paying the ransom is the only way to get the files back, so it’s much better to prevent it.
I lost an afternoon troubleshooting a Websense non-issue. A web site related to Salesforce wasn’t working, and any time something like that happens, Websense goes on trial. About all I can do is make sure it’s a fair trial. Such is the life of a proxy administrator. And in this case, Websense was innocent–the guilty party was a dirty, no-good domain squatter. It’s a business model. And people wouldn’t do it if it didn’t work. Here’s why domain squatting works.
The other day I heard a reference to the “high side vs low side” of a computer system in a podcast, and the speaker didn’t stop to clarify. Worse yet is when you hear “on the low side” or “on the high side.” I came from the private sector into government contracting myself. I wasn’t born knowing this jargon either, so I’ll explain it.
A software developer asked me today about a website called Download More RAM. I don’t think he heard my other coworkers snicker. He asked if it’s possible to download RAM, then asked if it was a security issue. I said it’s best not to visit it, and spared him the history lesson.
I’ve been asked a few times now for my recommended DD-WRT settings, or at least my good-enough settings. I think that’s a great idea, so I’ll walk through how I configure a DD-WRT router. Follow these steps and I can almost guarantee you’ll have the most secure network on your block.
For the purposes of this tutorial, I am going to assume you are configuring DD-WRT as your primary router.
Application whitelisting is the holy grail of security, but it’s always at the top of the list of things people should do but haven’t yet. The reason is because it breaks stuff and it’s almost as impossible to anticipate ahead of time what it’s going to break as it is to fix whatever breaks.
I know. I wanted to do application whitelisting way back in 1997 and failed miserably.
I’ve covered event logging before, but the excellent site Malware Archaelogy has some cheat sheets that include Splunk queries you can use to find incidents or malware operating in your network, or even use to create dashboards so you can keep an eye on things. Malware Archaelogy’s list of events to log is a bit different from what I covered before, but there’s a considerable amount of overlap. You probably want what they recommend and what anyone else is recommending.
The key to corporate computer security is situational awareness, and I don’t think anyone sells a blinky box that provides enough of that. But you can build it with Splunk.
And, for what it’s worth, I do recommend Splunk. I’ve used Log Logic in the past, and its searches often take days to finish, which means Log Logic is so slow that by the time you find anything in it, it’s likely to be too late. Splunk isn’t quite real-time, but you can find stuff in a few minutes.