CKA Forums
Login 
canadian forums
bottom
 
 
Canadian Forums

Author Topic Options
Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 64817
PostPosted: Wed Jul 05, 2017 9:29 am
 


FYI...

So I come in this morning after the July 4th holiday to find a shitstorm of phishing and malware attacks going on.

All targeted exclusively at IT and HR.

The HR attacks all involved multiple attempts to install a Windows password recovery tool from a firm called "Isumsoft".

I recommend you block Isumsoft.com to prevent this attack.

IT is just getting slammed with a smorgasbord of attempted Trojan downloads and the variant that's hitting us tries to install in about forty different directories all at the same time. And it targets people who would normally be expected to have admin rights attached to their primary user account.

We're defeating this because our administrators use separate accounts for admin work and their primary user accounts have no admin rights attached to them at all.

Best practices and such.

In any case...FYI. [B-o]


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 35241
PostPosted: Wed Jul 05, 2017 9:52 am
 


Phishers are just scum. Good on the separation of user/admin rights. We classify data according to certain guidelines, and further segregate it as well.

Just because a person's credentials get compromised, doesn't mean there is a breach in the data.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 64817
PostPosted: Wed Jul 05, 2017 11:20 am
 


Data classification for the win! [B-o]


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 35241
PostPosted: Wed Jul 05, 2017 11:53 am
 


[B-o]

We go deeper than that too. I have zero authority to my workstation. It's on one domain. My administration IDs for Windows servers are on another domain, and I can only access them remotely via RDP or VMWare. My admin rights to Linux/HP-UX are through yet another LDAP server, and our DMZ/public facing network is in a fourth domain. Very little risk of malware getting anything important, even if I was compromised.

And data is further classified and is separate from all those!


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 64817
PostPosted: Wed Jul 05, 2017 4:36 pm
 


Are the domains all in the same forest? If so then why not just use a segmented VLAN to accomplish the same thing...but easier?


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 35241
PostPosted: Thu Jul 06, 2017 5:26 am
 


No, different domains, different IP segments, and different VLANS too. The internet facing domain also has no trust to the others, and the F5 firewall does not allow most communication between VLANs.

If we want to move data between them, we have to have the network guy open a path between two specific hosts to perform the copy. :) And only those two hosts.

We actually had a meeting yesterday to further classify data and services in the event of a large scale malware attack. It's actually quite different than our classifications and procedures for Disaster Recovery.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 64817
PostPosted: Thu Jul 06, 2017 8:21 am
 


Lately I've been dealing with the whole "cloud" fad and my problem with it is that we no longer need to be hacked to stop our organization from functioning, we simply need to be denied access to our resources.

A saw and about thirty seconds is all it would take to cut our fiber connection to the world and we'd be done.

And as more and more critical infrastructure moves to 'the cloud' (remote servers) then the cyberanarchists will simply move to attacking the data pipe instead of the data.

We need to prepare for this too.


Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 24080
PostPosted: Fri Jul 07, 2017 2:20 pm
 


BartSimpson wrote:
FYI...

So I come in this morning after the July 4th holiday to find a shitstorm of phishing and malware attacks going on.

All targeted exclusively at IT and HR.

The HR attacks all involved multiple attempts to install a Windows password recovery tool from a firm called "Isumsoft".

I recommend you block Isumsoft.com to prevent this attack.

IT is just getting slammed with a smorgasbord of attempted Trojan downloads and the variant that's hitting us tries to install in about forty different directories all at the same time. And it targets people who would normally be expected to have admin rights attached to their primary user account.

We're defeating this because our administrators use separate accounts for admin work and their primary user accounts have no admin rights attached to them at all.

Best practices and such.

In any case...FYI. [B-o]

It's like a case study right out of my risk management class... :lol:


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 35241
PostPosted: Mon Jul 10, 2017 6:32 am
 


BartSimpson wrote:
Lately I've been dealing with the whole "cloud" fad and my problem with it is that we no longer need to be hacked to stop our organization from functioning, we simply need to be denied access to our resources.

A saw and about thirty seconds is all it would take to cut our fiber connection to the world and we'd be done.

And as more and more critical infrastructure moves to 'the cloud' (remote servers) then the cyberanarchists will simply move to attacking the data pipe instead of the data.

We need to prepare for this too.


Don't even get me started on 'the cloud'. :evil: My first question is usually 'what problem are you trying to solve?'. Most often, that stops any manager playing buzzword bingo dead in their re-org. If not, then pointing out the Government of Albertas' policy requiring data being kept physically within the province usually shuts that down RFN.

The one legacy I still love about old Ralph Klein is his creation of Alberta Supernet. There used to be outages all the time, where some yahoo would start digging with his backhoe and an entire city would drop off the internet because he dug up a clearly marked fiber cable. It still happens, but with Supernet the problem just re-routes.

That said, there are still single points of failure. But none would lead to a total or long term loss of service.

Tricks wrote:
It's like a case study right out of my risk management class... :lol:


Where do you think those scenarios come from? Shit people like Bart and I did 10, 20, and 30 years ago, before we knew better. ;)


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 35241
Offline
CKA Uber
CKA Uber
 Vancouver Canucks
User avatar
Profile
Posts: 24080
PostPosted: Mon Jul 10, 2017 10:22 am
 


DrCaleb wrote:

Tricks wrote:
It's like a case study right out of my risk management class... :lol:


Where do you think those scenarios come from? Shit people like Bart and I did 10, 20, and 30 years ago, before we knew better. ;)

And judging from the news every other week, others still do.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 64817
PostPosted: Mon Jul 10, 2017 11:22 am
 


DrCaleb wrote:

Don't even get me started on 'the cloud'. :evil: My first question is usually 'what problem are you trying to solve?'. Most often, that stops any manager playing buzzword bingo dead in their re-org. If not, then pointing out the Government of Albertas' policy requiring data being kept physically within the province usually shuts that down RFN.


California has the same laws about keeping data inside of California yet these laws get broken with such regularity that it's almost a defacto policy to ship data out of state and overseas.

You have to be careful about the fine print in any off-site data storage agreement because the proverbial devil is in the details. Often times all you get is a proxy that's hosted locally. Your data is often on a "follow the night" tour around the world where data storage follows the cheapest electricity which comes at night.

It hasn't surprised me to find out that our most critical data has been on a tour of Singapore, China, Russia, Brazil, and etc. because the storage firm is chasing cheap power.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 35241
PostPosted: Mon Jul 10, 2017 11:34 am
 


All our data is hosted on machines I can physically touch. :) But it doesn't stop some people from trying to make brownie points on something they read in a business magazine, and don't even tangentially understand.

And, ironically, Microsoft announced Azure software that can exist in your datacentre! Seriously, why insource the stuff you tried to outsource? Why not just host it all yourself, anyhow?

I'd get an Auditor General or Attorney General involved with that stuff Bart. "Personal data" is the #1 target nowadays, as this phishing thread shows. Leaving it in the hands of random datacenters is just asking for trouble.


Offline
CKA Moderator
CKA Moderator
 Vancouver Canucks


GROUP_AVATAR
User avatar
Profile
Posts: 64817
PostPosted: Mon Jul 10, 2017 11:42 am
 


DrCaleb wrote:
All our data is hosted on machines I can physically touch. :) But it doesn't stop some people from trying to make brownie points on something they read in a business magazine, and don't even tangentially understand.


Can't even begin to tell you how many clueless upper management types I've humiliated when they've held meetings to tell us of the latest automagical technical sorcery and then I've asked them to explain it to a room full of people with decades of technical expertise. Always fun! :mrgreen:

DrCaleb wrote:
And, ironically, Microsoft announced Azure software that can exist in your datacentre! Seriously, why insource the stuff you tried to outsource? Why not just host it all yourself, anyhow?


Azure is Microsoft's way of saying, "Give us more money, please!"

DrCaleb wrote:
I'd get an Auditor General or Attorney General involved with that stuff Bart. "Personal data" is the #1 target nowadays, as this phishing thread shows. Leaving it in the hands of random datacenters is just asking for trouble.


It's California. If I did this I'd be the one going to jail or getting killed in a "botched" robbery attempt. Whistleblowers in this state live very short lives before they die or go to prison.

At this point I just want to secure my retirement and then hit the road. If the people of California want to insist on voting for a one-party oligarchy then that's their misfortune and I don't care to correct them.

I'll do my job to the best of my ability but I'm not interested in fighting for the best interests of a bunch of jerks who'd hate me for going against their pet politicians. Fuck 'em.


Offline
CKA Moderator
CKA Moderator
User avatar
Profile
Posts: 35241
PostPosted: Mon Jul 10, 2017 11:57 am
 


BartSimpson wrote:
It's California. If I did this I'd be the one going to jail or getting killed in a "botched" robbery attempt. Whistleblowers in this state live very short lives before they die or go to prison.

At this point I just want to secure my retirement and then hit the road. If the people of California want to insist on voting for a one-party oligarchy then that's their misfortune and I don't care to correct them.

I'll do my job to the best of my ability but I'm not interested in fighting for the best interests of a bunch of jerks who'd hate me for going against their pet politicians. Fuck 'em.


Yea, I forgot about that guy who withheld the Admin passwords from his boss, because his boss was an idiot. Then he gave up the passwords, the boss fucked up the network and the guy went to jail anyhow. 8O

Keep your head down, and nod politely once in a while. Then, fuck 'em.


Post new topic  Reply to topic  [ 18 posts ]  1  2  Next



Who is online

Users browsing this forum: No registered users and 1 guest



cron
 
     
All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © Canadaka.net. Powered by © phpBB.