Tuesday, March 24, 2015

How to Block Ad Networks in SonicWALL

Last year saw several ad networks being compromised and serving malware.  One way to avoid being compromised by further attacks on ad networks is to keep them blocked. While a bit extreme, i have yet to have a user complain that there weren't any ads showing in their browser.  Here's how to do it using App Rules:

1. Create a Match Object:
     Navigate to Firewall => Match Objects.  Add a New Match Object

Object Name:           Ad Networks
Match Object Type: CFS Allow/Forbidden List
Match Type:             Exact Match

Then, Paste the following list into a .txt file and save it:  

adimages.go.com
admonitor.net
ads.specificpop.com
ads.web.aol.com
ads.x10.com
advertising.com
amazingmedia.com
clickagents.com
commission-junction.com
doubleclick.net
go2net.com
infospace.com
kcookie.netscape.com
linksynergy.com
msads.net
qksrv.net
yimg.com
zedo.com
101com.com
101order.com
123found.com
123pagerank.com
180searchassistant.com
adboost.net
adbooth.net
adbot.com
adbrite.com
bidvertiser.com
chitika.com
clicksor.com
pocketcents.com
adinterax.com
adisfy.com
adition.com
adition.de
adition.net
adjix.com
adjug.com
adjuggler.com
adjuggler.yourdictionary.com
adjustnetwork.com
ads.blog.com
ads.bloomberg.com
ads.bluelithium.com
ads.bluemountain.com
ads.bluesq.com
ads.bonniercorp.com
ads.boylesports.com
ads.brabys.com
ads.brain.pk
ads.brazzers.com
ads.bumq.com
ads.businessweek.com
ads.canalblog.com
ads.canoe.ca
ads.carocean.co.uk
ads.casinocity.com
ads.cbc.ca
ads.cc
ads.cc-dt.com
ads.cdfreaks.com
ads.centraliprom.com
ads.cgnetworks.com
ads.channel4.com
ads.cimedia.com
ads.clearchannel.com
ads.cnn.com
ads.co.com
ads.collegclub.com
ads.com.com
ads.comicbookresources.com
ads.contactmusic.com
ads.crakmedia.com
ads.creative-serving.com
ads.creativematch.com
ads.cricbuzz.com
ads.cyberfight.ru
ads.cybersales.cz
ads.dada.it
ads.datinggold.com
ads.datingyes.com
ads.dazoot.ro
ads.deltha.hu
ads.dennisnet.co.uk
ads.desmoinesregister.com
ads.detelefoongids.nl
ads.deviantart.com
ads.digital-digest.com
ads.digitalmedianet.com
ads.digitalpoint.com
ads.directionsmag.com
ads.discovery.com
ads.domeus.com
ads.eagletribune.com
ads.easy-forex.com
ads.eatinparis.com
ads.economist.com
ads.edbindex.dk
ads.egrana.com.br
ads.einmedia.com
ads.electrocelt.com
ads.elitetrader.com
ads.emirates.net.ae
ads.epltalk.com
ads.escalatemedia.com
ads.esmas.com
ads.eu.msn.com
ads.exactdrive.com
ads.exhedra.com
ads.expat-blog.biz
ads.expedia.com
ads.ezboard.com
ads.factorymedia.com
ads.fairfax.com.au
ads.faxo.com
ads.ferianc.com
ads.filmup.com
ads.financialcontent.com
ads.flooble.com
ads.fool.com
ads.footymad.net
ads.forbes.com
ads.forbes.net
ads.forium.de
ads.fortunecity.com
ads.fotosidan.se
ads.foxkidseurope.net
ads.foxnetworks.com
ads.foxnews.com
ads.freecity.de
ads.freeze.com
ads.friendfinder.com
ads.ft.com
ads.futurenet.com
ads.gamecity.net
ads.gameforgeads.de
ads.gamershell.com
ads.gamespyid.com
ads.gamigo.de
ads.gaming-universe.de
ads.gawker.com
ads.geekswithblogs.net
ads.glispa.com
ads.globeandmail.com
ads.gmodules.com
ads.godlikeproductions.com
ads.good.is
ads.goyk.com
ads.gplusmedia.com
ads.gradfinder.com
ads.grindinggears.com
ads.groundspeak.com
ads.gsm-exchange.com
ads.gsmexchange.com
ads.guardian.co.uk
ads.guardianunlimited.co.uk
ads.guru3d.com
ads.hardwaresecrets.com
ads.harpers.org
ads.hbv.de
ads.hearstmags.com
ads.heartlight.org
ads.hideyourarms.com
ads.hollywood.com
ads.horsehero.com
ads.horyzon-media.com
ads.iafrica.com
ads.ibest.com.br
ads.ibryte.com
ads.icq.com
ads.iforex.com
ads.ign.com
ads.img.co.za
ads.imgur.com
ads.incgamers.com
ads.indiatimes.com
ads.infi.net
ads.internic.co.il
ads.ipowerweb.com
ads.isoftmarketing.com
ads.itv.com
ads.iwon.com
ads.jewishfriendfinder.com
ads.jiwire.com
ads.jobsite.co.uk
ads.jpost.com
ads.jubii.dk
ads.justhungry.com
ads.kaktuz.net
ads.kelbymediagroup.com
ads.kinobox.cz
ads.kinxxx.com
ads.komli.com
ads.kompass.com
ads.krawall.de
ads.lesbianpersonals.com
ads.linuxfoundation.org
ads.linuxjournal.com
ads.linuxsecurity.com
ads.livenation.com
ads.localnow.com
ads.lvz-online.de
ads.mambocommunities.com
ads.mariuana.it
ads.massinfra.nl
ads.mcafee.com
ads.mediaodyssey.com
ads.mediaturf.net
ads.medienhaus.de
ads.mgnetwork.com
ads.mmania.com
ads.moceanads.com
ads.motor-forum.nl
ads.motormedia.nl
ads.movieflix.com
ads.msn.com
ads.multimania.lycos.fr
ads.nationalgeographic.com
ads.ncm.com
ads.netclusive.de
ads.netmechanic.com
ads.networksolutions.com
ads.newdream.net
ads.newgrounds.com
ads.newmedia.cz
ads.newsint.co.uk
ads.newsquest.co.uk
ads.newtention.net
ads.nigella.com
ads.ninemsn.com.au
ads.nj.com
ads.nola.com
ads.nordichardware.com
ads.nordichardware.se
ads.nwsource.com
ads.nyi.net
ads.nytimes.com
ads.nyx.cz
ads.nzcity.co.nz
ads.o2.pl
ads.oddschecker.com
ads.okcimg.com
ads.ole.com
ads.olivebrandresponse.com
ads.oneplace.com
ads.ookla.com
ads.optusnet.com.au
ads.outpersonals.com
ads.p161.net
ads.passion.com
ads.pennet.com
ads.penny-arcade.com
ads.pheedo.com
ads.phpclasses.org
ads.pickmeup-ltd.com
ads.pkr.com
ads.planet.nl
ads.pni.com
ads.pof.com
ads.powweb.com
ads.primissima.it
ads.prisacom.com
ads.program3.com
ads.psd2html.com
ads.pushplay.com
ads.quaylemedia.com
ads.quoka.de
ads.rcs.it
ads.realmedia.de
ads.recoletos.es
ads.rediff.com
ads.redlightcenter.com
ads.redtube.com
ads.resoom.de
ads.returnpath.net
ads.rottentomatoes.com
ads.rpgdot.com
ads.s3.sitepoint.com
ads.satyamonline.com
ads.savannahnow.com
ads.scifi.com
ads.seniorfriendfinder.com
ads.sexinyourcity.com
ads.shizmoo.com
ads.shopstyle.com
ads.sift.co.uk
ads.silverdisc.co.uk
ads.skins.be
ads.slim.com
ads.smartclick.com
ads.smartshopping.co.uk
ads.soft32.com
ads.space.com
ads.spoonfeduk.com
ads.sprotiv.org
ads.sptimes.com
ads.stackoverflow.com
ads.stationplay.com
ads.struq.com
ads.sun.com
ads.supplyframe.com
ads.switchboard.com
ads.t-online.de
ads.tahono.com
ads.techtv.com
ads.techweb.com
ads.telegraph.co.uk
ads.theglobeandmail.com
ads.themovienation.com
ads.thestar.com
ads.thewebfreaks.com
ads.timeout.com
ads.tjwi.info
ads.tmcs.net
ads.top500.org
ads.totallyfreestuff.com
ads.townhall.com
ads.trinitymirror.co.uk
ads.tripod.com
ads.tripod.lycos.co.uk
ads.tripod.lycos.de
ads.tripod.lycos.es
ads.tripod.lycos.it
ads.tripod.lycos.nl
ads.tripod.spray.se
ads.tso.dennisnet.co.uk
ads.tweetmeme.com
ads.uknetguide.co.uk
ads.ultimate-guitar.com
ads.uncrate.com
ads.undertone.com
ads.uploading.com
ads.usatoday.com
ads.v3.com
ads.verticalresponse.com
ads.vgchartz.com
ads.videosz.com
ads.virtual-nights.com
ads.virtualcountries.com
ads.vnumedia.com
ads.weather.ca
ads.web.aol.com
ads.web.cs.com
ads.web.de
ads.webmasterpoint.org
ads.websiteservices.com
ads.whi.co.nz
ads.whoishostingthis.com
ads.wiezoekje.nl
ads.wikia.nocookie.net
ads.wineenthusiast.com
ads.wunderground.com
ads.wwe.biz
ads.xhamster.com
ads.xtra.co.nz
ads.y-0.net
ads.yimg.com
ads.yldmgrimg.net
ads.yourfreedvds.com
ads.youtube.com
ads.zdnet.com
ads.ztod.com
ads03.redtube.com
ads1.canoe.ca
ads1.mediacapital.pt
ads1.msn.com
ads1.rne.com
ads1.theglobeandmail.com
ads1.virtual-nights.com
ads10.speedbit.com
ads180.com
ads2.brazzers.com
ads2.clearchannel.com
ads2.collegclub.com
ads2.collegeclub.com
ads2.exhedra.com
ads2.gamecity.net
ads2.jubii.dk
ads2.net-communities.co.uk
ads2.oneplace.com
ads2.rne.com
ads2.virtual-nights.com
ads2.xnet.cz
ads2004.treiberupdate.de
ads3.gamecity.net
ads3.virtual-nights.com
ads4.clearchannel.com
ads4.gamecity.net

You can add more, but the file must remain below 8kb total.

Once the file is saved, click on the Load From File Button:


Select your file and click upload:

Once the file finishes uploading, You should see the list populate:


Click OK and then Create another Match Object:
Object Name:  Content Filtering
Match Object Type: CFS Category List

Select the items you want from the list:

Click OK

Next, we will add an App Rule using this match object:

Navigate to Firewall => App Rules and click Add New Policy

Copy the settings in the image below:

Lastly, configure the content filtering in Security Services => Content filtering and select the Via App Rules option under the CFS Policy Assignment Selection.


**NOTES**
This will remove any allowed or blocked domains you have added to content filtering.

To add Allowed Domains, create another CFS Allow/Denied match object with he list you need allowed and select that list in the CFS Allow/Excluded list selection.

To manually add Blocked Domains, add them to the Ad Networks Match Object.

   

Tuesday, February 24, 2015

The Art of Phish - A more in depth analysis of the issue

Very recently, and as I discussed in my last post, I received a very good phishing email that was well targeted, relevant to my status as a student, and very convincingly put together.  This lead me to think about the best way to protect my customers from being that victim of a Phishing campaign.  

Spearphishing has changed the game a bit.  With tools like Data.com out there giving incredibly in depth information for a very low price (around $1 per contact, less if you know how to use Google properly) someone who wants in to an organization will have no problem finding the names and email addresses of high ranking people to attack.  Spammers and phishing used to require a wide net, which meant that it was likely some blacklist somewhere would pick up the spammer and help to protect your users.  Now, with such targeted attacks, we can no longer rely on blacklists for anything but the most mundane spam protection.  

So what can protect us?

We are faced with an ever expanding number of platforms that access corporate email and resources.  Because of this, we need to look at how to protect at a server level, regardless of the email client used to access emails.  I am a big fan of content filtering emails, but can we somehow integrate a back check on links?  Is there even a decent threat intelligence database on phishing attacks?

I have been vocal in my thoughts on threat intelligence, and because someone can spin up an AWS instance and register a domain name in minutes these days, I really don't think that the model of threat intel works at all for anti-phishing, especially the targeted spearphishing that I am really concerned with.  White listing links would be an option, but there's no possible way for an IT department of any size to manage a white list of acceptable websites that are allowed to send a link.  It would be a huge burden, and would quickly die off as a good idea that couldn't be maintained.

Also, a huge portion of the malware i see delivered to my clients is through malicious software uploaded to sites like Dropbox and others that may have legitimate business uses.  I can't virus scan them because the file is out in the cloud.  I can't block Dropbox for a lot of clients because they do use it for legitimate purposes,

So what can we do?

I have three things i am going to try to implement going forward.

1. Strip display names from emails.  Sure, they look nice and make email more readable, but they also hide the domain name of the email address.  If I don't deliver a display name, no client will display it, unless it's already in their address book.  I want people to see raw email addresses as opposed to the masqueraded display names attackers hide behind.  As i figure out how to do this in Exchange, i will put up another post with directions.

2. Disable HREF's and display them in plaintext - Making a user copy and paste an address will discourage mobile use, and is a tried and true way to make a user look harder at a link.

3. Educate users about the risks continuously, instead of in one big class.  If we make education a continuous process, and make the content relevant and simple, we will get better results than we would in a classroom environment.

Monday, February 23, 2015

The Art of Phish - Spamming in the new age of Infosec

Those of you who know me from Twitter may have seen that I posted a pretty convincing Phishing email that I received on Sunday night on my school email account.  I took away a few things as a security practitioner from this event.

1. Display names should always be displayed with an email address.  Sure, display names look pretty but seeing "Amazon Student" instead of the spammy email address that was hiding behind that probably leads to far more clicks that it would if people saw the whole picture up front.

2. Phishing emails are getting really REALLY good.  People will fall for them not because they're lazy of overly gullible, they will fall for them because there is an art to spamming.

3. Links should be displayed - I turn off HTML formatting when I see a suspicious message.  Maybe we can pop up something that displays just the domain name of the link before a user is allowed to follow it?  I am open to suggestions here.

These get better every day, and no user training in the world is going to eliminate this activity.  Tight content filtering policies would have prevented this one, when I cross checked the destination URL it showed up as an uncategorized site.


Friday, February 13, 2015

Where does threat intelligence best fit in? Securing from the Inside Out

To answer this question, I started with a different question:

"What threats are causing me problems, and what threats do I foresee causing me issues"

I went back through trouble tickets and assigned the treat sources to categories as I ran across them.  I did not define my buckets before I started, as I did not want any bias to be present to confirm any of my current suspicions.  I really came up with three categories of threat vector:

1. Googling downloads: A huge amount of the malware we deal with daily comes from malicious repacks of iTunes and Flash, among a few other things. 

How can I block access to malware laden repacks?

2. Phishing: This one really goes without explanation.

How can I block the most common phishing attacks?

3. Personal Email: People need to be able to check personal email at work, I understand this.  I know many of you will disagree, but the political impact of blocking personal email accounts at the office is significant and isn't a battle worth fighting for a lot of execs.  I know of one CISO who lost his job because he implemented this, and would not relent.  

How can I prevent users from bypassing email scanning and downloading compromised attachments?

With those three questions asked, the answer for me was even fuzzier than before.  How does threat intelligence help with these problems, and is threat intelligence the answer to my questions.

For me the answer was no to two of these problems, and a maybe to the first.  Would threat intel help me with the problem of people Googling downloads?  Probably.  Can I do it effectively without buying another blinky box?  Probably.

If I were managing a perimeter that had a large attack surface, I could see spending the money on something to dynamically update lists of bad IP's and IPS definitions.  But as we have seen in the past few years, most major breaches have come through much more hard to predict threat vectors that I am not sure current versions of threat intel really help with.  

What I am driving at is that for me, I will be focused on securing from the Inside to the outside as opposed to focusing on the perimeter and trying to prevent script kiddies from port scanning my web servers.  My analysis of threats that are the most prevalent leads me to look at workstation integrity first and foremost.

Tuesday, December 30, 2014

My 2014 Year in Review

So after a really crazy year, I felt like it would be good for me to look back and recap what I took out of 2014, if only for myself.  Here's my themes and lessons:

1. Open Source is not an excuse for bad security:

I took on a few Linux projects in 2014 and saw quite a few servers not behind an IPS because they were running IPtables.  No one took the threat seriously because open source software was trusted and seen as secure.  Heartbleed and Shellshock changed that, and I for one am glad it did.  There's no longer an argument that open source can be trusted implicitly, and i talked several customers into putting a WAF in front of these boxes and setting up rules and IPS properly because of these large scale vulnerabilities.

2. Patching is not the only game in town:

Waiting for a patch, and then applying that patch is slow and tedious.  Mitigating risks quickly is what my employer is paid to do, and we have to go above and beyond with different approaches to emerging threats.  This leads me to:

3. Think outside the box, and use the tools you have:

When CryptoWall was spreading through ad networks, we used content filtering to block those ad networks instead of waiting for our AV vendor to put out a definition. Content filtering is not made for this role, but it did work well and we avoided CryptoWall almost entirely.

4. Not all threats require action:

We found that Poodle wasn't a big deal for our environments.  Once I understood the threat vector and how it was being exploited, I found that the fix for the issue was not worth the huge disruption in service that the implementation would require.  There were very few systems actually negotiating SSLv3 sessions, and those that were could usually be shut down.  The short version is, I no longer accept a threat with a high CVSS score as requiring a patch until I run it through my threat modeling regimen.  It's not easy, it's not simple, and it's not perfect.  What it has become is a way of communicating quickly what systems could be affected and the business case/ impact around the vulnerability.

5. Knowing your systems is the best way to protect your systems:

Know what you have and you'll easily figure out how to protect it.  We use a monitoring and management tool built for MSP's that quickly lets me build reports based on installed software or patch status or whatever you might want to know.  This is a key to my threat modeling system I am building, and I will tell you that I have found quite a few packages that didn't need to be there and could be removed, including a Joomla site that had been compromised and only served as a link to a file share. The rest of it gets built into my database of implemented technologies so I can search quickly when a certain package or protocol is found to be vulnerable.  Inventories are really great, but great inventories are really important.

What was your biggest takeaway from 2014?

Tuesday, November 4, 2014

My recent bout with a WordPress Vulnerability

We all hear horror stories about WordPress sites, and for one of my customers, it finally came to pass two weeks ago.  It isn't until today, two weeks later that we have full functionality restored to their systems. Let me set the stage:

    1. They wanted to do a new website and despite being advised against it, decided to co-locate it cheaply on a popular hosted WordPress platform.
    2. They did not have direct contact with the co-location company, as the account was set up through the developer they hired to build the site.
    3. The site was done poorly and required some strange DNS entries to make it work.

The story goes as follows:
We get a call that email messages are getting bounced back.  I look at the bounce-back message and see that they have been blacklisted.  I go into my IR plan for blacklists and check the appropriate channels to see how bad it is.  My first check at MXToolbox.com shows 21 listings, but for an IP address not assigned to my customer's netblock.  Curious, I look at who owns that block and find that it's the hosting company I specifically advised against about 6 months prior.  I then check the customer's mail server IP and see that it also blacklisted, and that every IP listed in the DNS record has been listed. 

I will list out my IR plan for this occurrence in a later post as it is now again a work in progress after I discovered some flaws while going through this incident.  My basic steps were:

1: Check firewall for large amounts of SMTP traffic. (This was clear)
2: Check exchange queues for large amounts of mail waiting to be delivered, large amounts of connections. (Also Clear)
3: Check firewall rules set up for port 25 and 987.  (Again Clear)
      - From these steps I determined that the problem was external-   

4: Check MxToolbox blacklist  (Bingo)
5: Check known SaaS spam blocking solutions - TrendMicro, McAfee, Reflexion, Etc.  (All had both IP's listed)

6: Once I determined that the SPAM was coming from the web server, and thanks to the brilliance of MXToolbox it was even possible to determine the site that had been compromised on the co located server, we called the customer to advise him to reach out to the hosting provider to request that the other site be shut down until it could be cleaned.  Here is where it got ugly:

The could not call directly to the provider as they did not have an account.  The web developer (I use this term very loosely, as slinging WordPress isn't technically developing) denied that it was their problem, and was basing his opinion on a search of the wrong domain name.  He blamed a DNS problem because he couldn't be bothered to check the email address they use to get the correct info.  Between his denial and slowness to respond, it took nearly half a day to get him to call the hosting company and begin to get the issue cleaned up.  One he finally relented and the SPAM stopped, I began the long process of de listing the IP's in all of the blacklists that had self-service options.  It then took a full two weeks to get the all clear from TrendMicro, as they have some strange procedures around the de listing process.

So what did we learn?

1. Cheap hosting provides minimal security (Spoiler Alert - Cloud options are the same...)
2. WordPress is as easy to compromise as it's been described to be.  Co located servers mean you never know when a popped plugin is running on the same environment as you are.
3. Always CYA (Check Your Assumptions)
4. Every customer needs a detailed and customized IR plan tailored to their environment.  No two are the same, and every process is different.  If you're not "singing off the same sheet music" it's hard to stay together as you move through the steps.

What was the impact to the customer?

1. Loss of ability to communicate with his clients for up to 2 weeks
2. Couldn't email invoices.  They spent hours per day faxing invoices so that they could continue to get paid.
3. Lost time and employee dissent.

All in all, it didn't matter what firewall rules I had in place, how solid my security was on their workstations, or even how well done their site was, because they chose a bad hosting platform and another site got popped.  It also demonstrated to them how critical email has become to a business and motivated them to take some additional steps to help mitigate these problems in the future.

One last thing:  They saved around $20 per month over a dedicated virtual server with an unshared IP.

Friday, October 3, 2014

Diamonds from Dust- Secure the Edge

First Things First - Content Filtering
Firewall configuration should have been a single post, but I realized that I do quite a lot of configuration without even thinking about it.  With that said, I decided to break this up into small but progressively more complicated tasks.

One of the things I see disabled almost immediately by most firewall admins is content filtering.  Yes it is overbearing, annoying, and raises concerns over censorship.  What it can do is protect your workstations from crap floating around the internet embedded in sites they really had no reason to be on in the first place.  Here are some tips for keeping your job, and keeping people on your side:

1. Go slowly:  If you don't have content filtering turned on, configure the policy to only block sites in categories such as freeware or malware.  Then enable content filtering and see if anything breaks.

Next, print off the list of categories that are available in your platform, and take it to the leadership of your organization to get approval on which categories you can block and which are off limits.  Establish a process for white listing sites that are miscategorized or are necessary for business. I like to set up a system where I can email the decision maker and only white list a site with their approval in an email.

Once you have your marching orders, enable one category per day and wait for the calls to come in.

2. Explain the change in advance, and let leadership take the heat for the decision.

3. Work with users, don't make them feel like you're working against them.

Advanced Categories and Custom Configs:

I will shout it out on top of a mountain: "I HATE ADS"

I also have found that it's very easy to block them by loading the frame in a seperate window and grabbing the URL.  I then add it to my blacklist and say goodbye to the Russian Brides and the free games.  If the Zedo issue from earlier this week taught us anything, it's that no good comes from ads.

The other category that I really like but that breaks a lot of sites is the "Uncategorized" category.  Be advised, your life will be hell for a while.  But after some tweaking and some grumbling, our Malware infections at customer sites that have allowed me to implement this had plummeted. One customer had 5 infections in a week, and since we put the work into this category it's dropped to one in 9 months.

Finally, stick to your guns.  This will likely be a painful change for a lot of users but it will be worth it in the long run.