Tuesday, March 24, 2015

How to Block Ad Networks in SonicWALL

Last year saw several ad networks being compromised and serving malware.  One way to avoid being compromised by further attacks on ad networks is to keep them blocked. While a bit extreme, i have yet to have a user complain that there weren't any ads showing in their browser.  Here's how to do it using App Rules:

1. Create a Match Object:
     Navigate to Firewall => Match Objects.  Add a New Match Object

Object Name:           Ad Networks
Match Object Type: CFS Allow/Forbidden List
Match Type:             Exact Match

Then, Paste the following list into a .txt file and save it:  

adimages.go.com
admonitor.net
ads.specificpop.com
ads.web.aol.com
ads.x10.com
advertising.com
amazingmedia.com
clickagents.com
commission-junction.com
doubleclick.net
go2net.com
infospace.com
kcookie.netscape.com
linksynergy.com
msads.net
qksrv.net
yimg.com
zedo.com
101com.com
101order.com
123found.com
123pagerank.com
180searchassistant.com
adboost.net
adbooth.net
adbot.com
adbrite.com
bidvertiser.com
chitika.com
clicksor.com
pocketcents.com
adinterax.com
adisfy.com
adition.com
adition.de
adition.net
adjix.com
adjug.com
adjuggler.com
adjuggler.yourdictionary.com
adjustnetwork.com
ads.blog.com
ads.bloomberg.com
ads.bluelithium.com
ads.bluemountain.com
ads.bluesq.com
ads.bonniercorp.com
ads.boylesports.com
ads.brabys.com
ads.brain.pk
ads.brazzers.com
ads.bumq.com
ads.businessweek.com
ads.canalblog.com
ads.canoe.ca
ads.carocean.co.uk
ads.casinocity.com
ads.cbc.ca
ads.cc
ads.cc-dt.com
ads.cdfreaks.com
ads.centraliprom.com
ads.cgnetworks.com
ads.channel4.com
ads.cimedia.com
ads.clearchannel.com
ads.cnn.com
ads.co.com
ads.collegclub.com
ads.com.com
ads.comicbookresources.com
ads.contactmusic.com
ads.crakmedia.com
ads.creative-serving.com
ads.creativematch.com
ads.cricbuzz.com
ads.cyberfight.ru
ads.cybersales.cz
ads.dada.it
ads.datinggold.com
ads.datingyes.com
ads.dazoot.ro
ads.deltha.hu
ads.dennisnet.co.uk
ads.desmoinesregister.com
ads.detelefoongids.nl
ads.deviantart.com
ads.digital-digest.com
ads.digitalmedianet.com
ads.digitalpoint.com
ads.directionsmag.com
ads.discovery.com
ads.domeus.com
ads.eagletribune.com
ads.easy-forex.com
ads.eatinparis.com
ads.economist.com
ads.edbindex.dk
ads.egrana.com.br
ads.einmedia.com
ads.electrocelt.com
ads.elitetrader.com
ads.emirates.net.ae
ads.epltalk.com
ads.escalatemedia.com
ads.esmas.com
ads.eu.msn.com
ads.exactdrive.com
ads.exhedra.com
ads.expat-blog.biz
ads.expedia.com
ads.ezboard.com
ads.factorymedia.com
ads.fairfax.com.au
ads.faxo.com
ads.ferianc.com
ads.filmup.com
ads.financialcontent.com
ads.flooble.com
ads.fool.com
ads.footymad.net
ads.forbes.com
ads.forbes.net
ads.forium.de
ads.fortunecity.com
ads.fotosidan.se
ads.foxkidseurope.net
ads.foxnetworks.com
ads.foxnews.com
ads.freecity.de
ads.freeze.com
ads.friendfinder.com
ads.ft.com
ads.futurenet.com
ads.gamecity.net
ads.gameforgeads.de
ads.gamershell.com
ads.gamespyid.com
ads.gamigo.de
ads.gaming-universe.de
ads.gawker.com
ads.geekswithblogs.net
ads.glispa.com
ads.globeandmail.com
ads.gmodules.com
ads.godlikeproductions.com
ads.good.is
ads.goyk.com
ads.gplusmedia.com
ads.gradfinder.com
ads.grindinggears.com
ads.groundspeak.com
ads.gsm-exchange.com
ads.gsmexchange.com
ads.guardian.co.uk
ads.guardianunlimited.co.uk
ads.guru3d.com
ads.hardwaresecrets.com
ads.harpers.org
ads.hbv.de
ads.hearstmags.com
ads.heartlight.org
ads.hideyourarms.com
ads.hollywood.com
ads.horsehero.com
ads.horyzon-media.com
ads.iafrica.com
ads.ibest.com.br
ads.ibryte.com
ads.icq.com
ads.iforex.com
ads.ign.com
ads.img.co.za
ads.imgur.com
ads.incgamers.com
ads.indiatimes.com
ads.infi.net
ads.internic.co.il
ads.ipowerweb.com
ads.isoftmarketing.com
ads.itv.com
ads.iwon.com
ads.jewishfriendfinder.com
ads.jiwire.com
ads.jobsite.co.uk
ads.jpost.com
ads.jubii.dk
ads.justhungry.com
ads.kaktuz.net
ads.kelbymediagroup.com
ads.kinobox.cz
ads.kinxxx.com
ads.komli.com
ads.kompass.com
ads.krawall.de
ads.lesbianpersonals.com
ads.linuxfoundation.org
ads.linuxjournal.com
ads.linuxsecurity.com
ads.livenation.com
ads.localnow.com
ads.lvz-online.de
ads.mambocommunities.com
ads.mariuana.it
ads.massinfra.nl
ads.mcafee.com
ads.mediaodyssey.com
ads.mediaturf.net
ads.medienhaus.de
ads.mgnetwork.com
ads.mmania.com
ads.moceanads.com
ads.motor-forum.nl
ads.motormedia.nl
ads.movieflix.com
ads.msn.com
ads.multimania.lycos.fr
ads.nationalgeographic.com
ads.ncm.com
ads.netclusive.de
ads.netmechanic.com
ads.networksolutions.com
ads.newdream.net
ads.newgrounds.com
ads.newmedia.cz
ads.newsint.co.uk
ads.newsquest.co.uk
ads.newtention.net
ads.nigella.com
ads.ninemsn.com.au
ads.nj.com
ads.nola.com
ads.nordichardware.com
ads.nordichardware.se
ads.nwsource.com
ads.nyi.net
ads.nytimes.com
ads.nyx.cz
ads.nzcity.co.nz
ads.o2.pl
ads.oddschecker.com
ads.okcimg.com
ads.ole.com
ads.olivebrandresponse.com
ads.oneplace.com
ads.ookla.com
ads.optusnet.com.au
ads.outpersonals.com
ads.p161.net
ads.passion.com
ads.pennet.com
ads.penny-arcade.com
ads.pheedo.com
ads.phpclasses.org
ads.pickmeup-ltd.com
ads.pkr.com
ads.planet.nl
ads.pni.com
ads.pof.com
ads.powweb.com
ads.primissima.it
ads.prisacom.com
ads.program3.com
ads.psd2html.com
ads.pushplay.com
ads.quaylemedia.com
ads.quoka.de
ads.rcs.it
ads.realmedia.de
ads.recoletos.es
ads.rediff.com
ads.redlightcenter.com
ads.redtube.com
ads.resoom.de
ads.returnpath.net
ads.rottentomatoes.com
ads.rpgdot.com
ads.s3.sitepoint.com
ads.satyamonline.com
ads.savannahnow.com
ads.scifi.com
ads.seniorfriendfinder.com
ads.sexinyourcity.com
ads.shizmoo.com
ads.shopstyle.com
ads.sift.co.uk
ads.silverdisc.co.uk
ads.skins.be
ads.slim.com
ads.smartclick.com
ads.smartshopping.co.uk
ads.soft32.com
ads.space.com
ads.spoonfeduk.com
ads.sprotiv.org
ads.sptimes.com
ads.stackoverflow.com
ads.stationplay.com
ads.struq.com
ads.sun.com
ads.supplyframe.com
ads.switchboard.com
ads.t-online.de
ads.tahono.com
ads.techtv.com
ads.techweb.com
ads.telegraph.co.uk
ads.theglobeandmail.com
ads.themovienation.com
ads.thestar.com
ads.thewebfreaks.com
ads.timeout.com
ads.tjwi.info
ads.tmcs.net
ads.top500.org
ads.totallyfreestuff.com
ads.townhall.com
ads.trinitymirror.co.uk
ads.tripod.com
ads.tripod.lycos.co.uk
ads.tripod.lycos.de
ads.tripod.lycos.es
ads.tripod.lycos.it
ads.tripod.lycos.nl
ads.tripod.spray.se
ads.tso.dennisnet.co.uk
ads.tweetmeme.com
ads.uknetguide.co.uk
ads.ultimate-guitar.com
ads.uncrate.com
ads.undertone.com
ads.uploading.com
ads.usatoday.com
ads.v3.com
ads.verticalresponse.com
ads.vgchartz.com
ads.videosz.com
ads.virtual-nights.com
ads.virtualcountries.com
ads.vnumedia.com
ads.weather.ca
ads.web.aol.com
ads.web.cs.com
ads.web.de
ads.webmasterpoint.org
ads.websiteservices.com
ads.whi.co.nz
ads.whoishostingthis.com
ads.wiezoekje.nl
ads.wikia.nocookie.net
ads.wineenthusiast.com
ads.wunderground.com
ads.wwe.biz
ads.xhamster.com
ads.xtra.co.nz
ads.y-0.net
ads.yimg.com
ads.yldmgrimg.net
ads.yourfreedvds.com
ads.youtube.com
ads.zdnet.com
ads.ztod.com
ads03.redtube.com
ads1.canoe.ca
ads1.mediacapital.pt
ads1.msn.com
ads1.rne.com
ads1.theglobeandmail.com
ads1.virtual-nights.com
ads10.speedbit.com
ads180.com
ads2.brazzers.com
ads2.clearchannel.com
ads2.collegclub.com
ads2.collegeclub.com
ads2.exhedra.com
ads2.gamecity.net
ads2.jubii.dk
ads2.net-communities.co.uk
ads2.oneplace.com
ads2.rne.com
ads2.virtual-nights.com
ads2.xnet.cz
ads2004.treiberupdate.de
ads3.gamecity.net
ads3.virtual-nights.com
ads4.clearchannel.com
ads4.gamecity.net

You can add more, but the file must remain below 8kb total.

Once the file is saved, click on the Load From File Button:


Select your file and click upload:

Once the file finishes uploading, You should see the list populate:


Click OK and then Create another Match Object:
Object Name:  Content Filtering
Match Object Type: CFS Category List

Select the items you want from the list:

Click OK

Next, we will add an App Rule using this match object:

Navigate to Firewall => App Rules and click Add New Policy

Copy the settings in the image below:

Lastly, configure the content filtering in Security Services => Content filtering and select the Via App Rules option under the CFS Policy Assignment Selection.


**NOTES**
This will remove any allowed or blocked domains you have added to content filtering.

To add Allowed Domains, create another CFS Allow/Denied match object with he list you need allowed and select that list in the CFS Allow/Excluded list selection.

To manually add Blocked Domains, add them to the Ad Networks Match Object.

   

Tuesday, February 24, 2015

The Art of Phish - A more in depth analysis of the issue

Very recently, and as I discussed in my last post, I received a very good phishing email that was well targeted, relevant to my status as a student, and very convincingly put together.  This lead me to think about the best way to protect my customers from being that victim of a Phishing campaign.  

Spearphishing has changed the game a bit.  With tools like Data.com out there giving incredibly in depth information for a very low price (around $1 per contact, less if you know how to use Google properly) someone who wants in to an organization will have no problem finding the names and email addresses of high ranking people to attack.  Spammers and phishing used to require a wide net, which meant that it was likely some blacklist somewhere would pick up the spammer and help to protect your users.  Now, with such targeted attacks, we can no longer rely on blacklists for anything but the most mundane spam protection.  

So what can protect us?

We are faced with an ever expanding number of platforms that access corporate email and resources.  Because of this, we need to look at how to protect at a server level, regardless of the email client used to access emails.  I am a big fan of content filtering emails, but can we somehow integrate a back check on links?  Is there even a decent threat intelligence database on phishing attacks?

I have been vocal in my thoughts on threat intelligence, and because someone can spin up an AWS instance and register a domain name in minutes these days, I really don't think that the model of threat intel works at all for anti-phishing, especially the targeted spearphishing that I am really concerned with.  White listing links would be an option, but there's no possible way for an IT department of any size to manage a white list of acceptable websites that are allowed to send a link.  It would be a huge burden, and would quickly die off as a good idea that couldn't be maintained.

Also, a huge portion of the malware i see delivered to my clients is through malicious software uploaded to sites like Dropbox and others that may have legitimate business uses.  I can't virus scan them because the file is out in the cloud.  I can't block Dropbox for a lot of clients because they do use it for legitimate purposes,

So what can we do?

I have three things i am going to try to implement going forward.

1. Strip display names from emails.  Sure, they look nice and make email more readable, but they also hide the domain name of the email address.  If I don't deliver a display name, no client will display it, unless it's already in their address book.  I want people to see raw email addresses as opposed to the masqueraded display names attackers hide behind.  As i figure out how to do this in Exchange, i will put up another post with directions.

2. Disable HREF's and display them in plaintext - Making a user copy and paste an address will discourage mobile use, and is a tried and true way to make a user look harder at a link.

3. Educate users about the risks continuously, instead of in one big class.  If we make education a continuous process, and make the content relevant and simple, we will get better results than we would in a classroom environment.

Monday, February 23, 2015

The Art of Phish - Spamming in the new age of Infosec

Those of you who know me from Twitter may have seen that I posted a pretty convincing Phishing email that I received on Sunday night on my school email account.  I took away a few things as a security practitioner from this event.

1. Display names should always be displayed with an email address.  Sure, display names look pretty but seeing "Amazon Student" instead of the spammy email address that was hiding behind that probably leads to far more clicks that it would if people saw the whole picture up front.

2. Phishing emails are getting really REALLY good.  People will fall for them not because they're lazy of overly gullible, they will fall for them because there is an art to spamming.

3. Links should be displayed - I turn off HTML formatting when I see a suspicious message.  Maybe we can pop up something that displays just the domain name of the link before a user is allowed to follow it?  I am open to suggestions here.

These get better every day, and no user training in the world is going to eliminate this activity.  Tight content filtering policies would have prevented this one, when I cross checked the destination URL it showed up as an uncategorized site.


Friday, February 13, 2015

Where does threat intelligence best fit in? Securing from the Inside Out

To answer this question, I started with a different question:

"What threats are causing me problems, and what threats do I foresee causing me issues"

I went back through trouble tickets and assigned the treat sources to categories as I ran across them.  I did not define my buckets before I started, as I did not want any bias to be present to confirm any of my current suspicions.  I really came up with three categories of threat vector:

1. Googling downloads: A huge amount of the malware we deal with daily comes from malicious repacks of iTunes and Flash, among a few other things. 

How can I block access to malware laden repacks?

2. Phishing: This one really goes without explanation.

How can I block the most common phishing attacks?

3. Personal Email: People need to be able to check personal email at work, I understand this.  I know many of you will disagree, but the political impact of blocking personal email accounts at the office is significant and isn't a battle worth fighting for a lot of execs.  I know of one CISO who lost his job because he implemented this, and would not relent.  

How can I prevent users from bypassing email scanning and downloading compromised attachments?

With those three questions asked, the answer for me was even fuzzier than before.  How does threat intelligence help with these problems, and is threat intelligence the answer to my questions.

For me the answer was no to two of these problems, and a maybe to the first.  Would threat intel help me with the problem of people Googling downloads?  Probably.  Can I do it effectively without buying another blinky box?  Probably.

If I were managing a perimeter that had a large attack surface, I could see spending the money on something to dynamically update lists of bad IP's and IPS definitions.  But as we have seen in the past few years, most major breaches have come through much more hard to predict threat vectors that I am not sure current versions of threat intel really help with.  

What I am driving at is that for me, I will be focused on securing from the Inside to the outside as opposed to focusing on the perimeter and trying to prevent script kiddies from port scanning my web servers.  My analysis of threats that are the most prevalent leads me to look at workstation integrity first and foremost.