Siko’s Computer Security Safety Tips

Working in the computer security industry is challenging – especially when you get questions from friends and family asking for computer security advice :). I was recently asked “How do I make my computer impenetrable?”. I responded with “It is impossible to make a computer impenetrable unless you unplug it, pull out the battery, and put 5 nails through the hard drive.”

I ended up thinking about how to respond more reasonably and came up with a list of pro-tips for someone naive in this arena – like my mother. I am posting this to our blog so that I can easily reference it in the future. Plus, I thought you might find it useful for your mother, sister or father’s brother’s nephew’s cousin’s former roommate!!

1. Be Careful – If you get an email and you don’t know the sender then don’t click the link or open the attachment. If you get an email from a friend with an attachment or link, then only open it if you expected them to send it. Don’t install random software from random places on the Internet. Downloading “attractive” software that you don’t absolutely need may come packaged with spyware. People opening or installing things they shouldn’t is one of the biggest problems in information security.

2. Install Updates and Use the Latest Software – Make sure you keep your software up to date. If Microsoft Windows wants to install updates then let it happen (this happens every Tuesday). If iTunes or Adobe needs to update, then make sure you get the latest version. These updates often contain fixes for bugs and vulnerabilities. Also use the newest version of software whenever possible. Newer software has mitigations and is often more secure than older versions.

3. Passwords – Don’t use simple passwords. Don’t use the same password at multiple sites. Don’t share accounts with others. Instead use a tool like 1Password, Keepass, or Lastpass to manage your passwords. Have those tools randomly generate long passwords for you automatically.

4. Two-Factor Authentication – This is a process of involving a 2nd stage of verification when logging in. This typically means you provide a username/password, and then a unique code that is provided to you by an application on your phone. This is very secure because an attacker would need your password and access to your phone. Google, Twitter, Facebook, Amazon, and many more already allow you to log in this way.

5. Encryption – Always perform full disk encryption of all computers, laptops, tablets, and mobile devices. That way if the device is stolen then the information will not be compromised. Also encrypt any data you care about and decrypt it as you need to access and use it. Consider a free tool like Truecrypt for solving this on a PC.

6. Perform Backups – Backup your important data often. Apple, Microsoft, and Chromebooks have programs that do this automatically. Malware can delete or encrypt your files holding them for ransom. Your system can crash. Make sure you have a backup, so that you can restore your data easily.

7. Protect Your Cell Phone – Pay attention to the permissions that an application is requesting before installing it and consider whether it’s reasonable for the application to require those permissions. Use a lock screen to ensure someone can’t impersonate you if you lose your phone.

8. Use Less Common Software – Use software that attackers target less. For example, the Google Chrome browser on Mac is much less targeted than Internet Explorer browser on Windows 7.

9. Anti-Virus – Anti-virus protects you from many threats, although certainly not all of them. I personally don’t run AV because of how much malware I handle. If you aren’t handling malware, then run AV and turn it on fully, so all of the auto-scanning and IPS features are running.

10. Don’t Run as Administrator – Run as a non-administrative user on your system. If you run as admin malware can more easily perform its malicious activities.

11. Segmentation – Don’t plug your computer directly into the Internet or modem. Instead, make sure you connect to a firewall or router that is plugged into your connection out to the Internet. Everyone with a Wifi access point already has this in place.

12. Virtual Machines – Use Virtual Machines like VMware Fusion or Workstation when performing tasks that might endanger your machine (like browsing pornographic or malicious websites by choice). By using a virtual machine, you can isolate any infections and then just wipe or reset the virtual machine when you are done.

10 days in the desert – Black Hat and DEFCON bound

I’m excited for my annual 10-day trip to Las Vegas for these big security conferences. Andy and I have a lot of cool events, including the chance for you to WIN A FREE VIP DINNER, so read on:

1. Mandiant is sponsoring a FREE book signing on Wed & Thurs July 25 & 26 from 1-2PM at Black Hat, this will take place in the Trevi Room, Caesars Palace (adjacent to the exhibit hall, Octavius Ballroom). First come, First served, so get there early because they’ll go fast and we’re limited.

2. WIN A FREE VIP DINNER at Bobby Flay’s Mesa Grill with Andy and I on Wednesday night by being on of the first 5 people in line at the book signing on Wednesday July 25. Get there early, because this is going to be a fun time at a great restaurant. (Note: if you aren’t one of the first 5 you’ll still get a free book until they run out).

3. Andy is releasing FakeNet 1.0 at the Black Hat Tool Arsenal from 11:45am-12:45pm on Wed and Thurs July 25 & 26. Stop by and check out the tool.

4. No Starch Press is holding a Defcon book signing for us on Friday July 27 at 4pm at the Rio. This will be at the No Starch Press booth, so bring your book or buy a discounted one at the NSP booth at the signing.

5. Mandiant is holding their always fun party at the Shadow Bar starting at 7pm on Tuesday 7/24 at the Shadow Bar in Caesar’s Palace. Make sure you register to attend . I’ll be hanging out at this party, so join me for a free drink.

6. I’ll be teaching a sold out 4-day Malware Analysis class at Black Hat on Saturday through Tuesday (7/21-7/24)

We look forward to seeing you in Vegas!

Buster Sandbox Analyzer adds support for FakeNet

Good news, Buster Sandbox Analyzer (BSA) has just added support for FakeNet.  For those of you not familiar, BSA is a tool that can be used to automatically analyze the behavior of processes and the changes made to system and then evaluate if they are malicious. This fully automates all of the basic dynamic analysis you typically perform. Full details and a download of BSA can be found here. BSA works with Sandboxie. Sandboxie is a program that runs programs in an isolated environment to prevent them from making permanent changes to your system. Sandboxie was designed to allow secure web browsing, but its sandbox aspect makes it useful for malware analysis. For example, you can use it to capture filesystem and registry accesses of the program you are sandboxing. Buster Sandbox Analyzer (BSA) interfaces with Sandboxie to provide automated analysis and reporting.

Continue reading

Book Signing at SOURCE Boston

I will be signing books at SOURCE Boston.  Mandiant has kindly agreed to sponsor the event.  The first 20 people to stop by the Mandiant table on Tuesday, April 17th from 4:00 to 4:30pm will receive a FREE copy of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.  If you don’t make it on Tuesday, don’t worry!  I’ll do it all over again on Wednesday, April 18th from 5:30 to 6:30pm.

Already own a copy? Stop by and say hello.  I would love to hear your feedback and I would be glad to answer any questions you may have.

Book Review: A Bug Hunter’s Diary

This was a fun and fast (<150 pages) read. It was a good book for me to read on vacation because you can read it a chapter at a time. Each chapter is an independent story taking you through the journey of finding a single software vulnerability. The author, Tobias Klein, is someone whom I was already familiar with by his website and we even reference his tool ScoopyNG in Chapter 17 of PMA.

For someone new to and interested in finding vulns, reading this will help you identify your gaps really quickly and also tell you if you are going to enjoy this type of work. If you aren’t very excited by the content, then trust me, you don’t want to be an exploit developer. You really need a background in programming and vulnerabilities to comprehend everything in this book. The appendix doesn’t cover enough for a beginner. Having a couple pages on defining a buffer overflow or type conversion error is enough to refresh someone who has done this before, but not enough to teach someone new to the material. The good thing is that if you want to be good at malware analysis you need the same solid C background that you will need to read this book. Long story short – learn C if you want to reverse or bug hunt!

Continue reading

Concealing Network Traffic via Google Translate

I recently encountered an interesting malware sample.  Examining its network activity, I noticed that it was beaconing out to translate.google.com.  It doesn’t really make sense that malware would need to translate a webpage, so I took a closer look at what was going on.  It turns out that the malware was using Google translate (and other translation websites) to proxy access to their malicious websites. Using the translation pages allows the malware to communicate with command and control servers without ever connecting to them. Analysis of the traffic would only show connections to Google Translate servers. These websites may contain commands or configuration that the malware downloads.

Continue reading