2016-03: What Should We Fear?

Location:  The Working Centre 58 Queen Street South, Kitchener, ON (plan)
Date: March 14th, 2016
Time: 7:00 PM

Ransomware. Spear-phishing. Botnets. Dirty USB attacks. Protecting our users and data has always been scary, but things appear to be getting scarier. What threats do you worry about the most? How have you changed your approach to deal with them? What threats can we do something about? How do we deal with the threats that are beyond our control?

As always, we will be sharing experiences and stories.

Meeting Notes

Announcements

  • Document Freedom Day: March 30
  • http://documentfreedom.org/
  • Interested: Bob, Marc, Steve?
  • North American attendance tends to be bad? Compared to Europe?
  • Software Freedom Day: Sept 17

Threats

  • Lock-in with proprietary formats.
  • eg Wordperfect 5.1 documents, but now LibreOffice does a conversion
  • KDE had a word processor? (KWrite? Kate?) that could do Wordperfect
  • LibreOffice has a team to convert popular formats
  • Old binary formats were fragile, so repairing documents was hard.
  • Many of the older document formats were simpler and easier to reverse engineer.
  • Desktop layout programs had more complicated documents
  • Forgetting the UNIX philosophy is bad
    • You don’t need word processors
  • Things becoming obsolete? This is not a threat.
  • There is a need for people to decipher technology. There are many people who do not have deciphering skills.
  • How many organizations rely on proprietary document formats?
  • Fear: not having support communities for software we use.
  • Missing important information in the volume of alerts.
  • eg webserver alerts based on databases
  • Log analysis tools can help
  • How do you deal with the unknown unknowns?
  • The tools require a lot of tweaking
  • Tools: splunk, ELK stack (Elasticsearch, Logstash, Kibana), Graphite, cacti, darkstat, Nagios, bandwidthd, Intel Systems Management, OpenNMS, Spiceworks
  • OpenNMS was self-configuring
  • Needed too much processing power to run
  • Little Snitch: monitors outward network connections
    • You can allow and deny different traffic
  • AVG for business gives you alerts (not just for viruses)
  • How do you deal with root causes of problems?
  • Rabbit holes are scary
  • At what point are we willing to deal with band-aid solutions and at what time do we need to find root causes?
  • Dealing with licensing and license audits
  • What happens when licenses expire?
  • GroupWise under Novell were tolerant of small excesses but now the new company (AttachMate) is harsh
  • But they audited school boards
  • Keep rough counts and stay on board
  • For GroupWise people would use resource mailboxes for people, because resource mailboxes were not licenses
  • What happens if there are huge expenses because of licensing infractions
  • How much blame gets shifted to the sysadmin as a result?
  • Keeping track of licenses is a headache
  • Monopolization is a fear
  • Should we be afraid of IT audits?
  • Audits are done by the finance departments
  • Security audits are scary too
  • Making things work sometimes require violating best practices
  • Hacking, compromises, ransomware
  • Cryptowall, Cryptolocker
  • Don’t let daily accounts disable UAC or be admins
  • Security holes
  • How do you educate users about phishing vectors?
  • How do we trust our antivirus tools?
  • Losing remote access to customer sites
  • How deep should you go with educating users?
  • What are the key things to let people to know
  • Don’t open any attachment you didn’t ask for
  • Be as accessible to users
    • Wander around and ask people what is happening
    • Have a help phone
  • Make users scared by giving demos
  • Show users visually what is going bad
  • What tools can protect us?
  • AVG desktop support was good. But commercial antivirus was not any better than Microsoft Security Essentials.
  • The phishing attacks are the real threats.
  • Antivirus consoles want to become centralized network tools
    • They tend to be poorly implemented and duplicate existing tools poorly
  • You have to explicitly tell BitDefender to update itself (!?)
  • Kaspersky for Business works well
    • They had a scare campaign about viruses to sell product
  • Someone liked the paid version of AVG
  • Clam does a good job of scanning offline
  • tronscript is an attempt to automate virus cleaning
  • How can you find zero-day exploits or monitor your system for weird behaviour?
    • Stiller. It takes a baseline of your computer and then prevented execution of anything that is not authorized.
    • Tripwire, rkhunter is available for Linux.
    • This does not protect you against browser code
    • Software Restriction Policies in Windows
  • Advertising is scary
  • Sales agents harass us (it is annoying)
  • Email account hijacks
  • Protections: NoScript, Privacy Badger, Request Policy, UBlock Origin, UBlock Edge, turn off CSS styles, Self-destructing cookies
  • AdBlock Plus now allows some advertising
  • But you need to tweak your blockers to be able to use the web
  • Drive by attacks, cross-site scripting,
  • Use multiple web browsers for different JS/non-JS
    • GNU IceCat
    • Chromium
    • Midori : finances
  • 1/3 work okay, 1/3 are degraded, 1/4 are unusable without other action, rest are unusable
  • Make the user agent Internet Explorer 3
  • Fear: bad web development practices
  • A lot of processing is done in the browser
  • Even management tools are written in Javascript
  • Password managers: KeePassX
  • Linux containers: people distribute images on the internet easily
  • Should we trust the people who make these images?
  • How do we verify this trust?
  • Are signatures good enough? Linux Mint got changed and so did the executables.
  • Ken Thompson: how do you trust trust?
    • Reputation is a factor as well.
This entry was posted in Data Protection, Past Meetings. Bookmark the permalink.

Leave a Reply