- Use POP email rather than web-mail and do not use Outlook or any other email client that specializes in rendering HTML email messages. Instead use Thunderbird or some other email program that does not render HTML. That makes those phishy links where they have a mouse over that replaces the URL you go to if you click on it with another one that looks safe with a mouse over impossible to achieve any more. With Thunderbird, Claws Mail and other email programs that don't render HTML, the malicious URL is no longer hidden. It stands out like a sore thumb. That helps prevent your users from falling prey to APT spear phishing email messages.
- Use OpenPGP encryption. For some place like Oak Ridge do not put your keys on the key servers. Share them privately. Make your keys to last no more than ten years. If a message from HR or a colleague appears, if it has attachments or embedded URLs you should require that it be signed. You can go either the commercial route and purchase PGP encryption (owned by Symantec as of 2011-04-29) or download GPG4Win for Windows machines. Here is their link: GPG4Win. You get GPG on Linux automatically and it is also available for Macintosh. But again, on Macintosh do not use Apple Mail since it renders HTML email. I really wanted to list this one first since it is actually the least important but you need Thunderbird or Claws Mail to do this on Windows anyway. Do not depend on engineers to figure out how to create their own OpenPGP keys. Engineers are bright people but they still need help in making their encryption keys the first time around. It is a lot harder to understand public/private key encryption than you think it is. The hardest thing of all though is to come up with a suitably long passphrase. I advise only alphanumerics although some punctuation marks are okay. Your pass-phrase should be almost impossible to guess, yet easy to remember, and not too difficult to type.
- Do not use Microsoft Windows! Here are some links on what file permissions do to protect you on Unix like systems. Simple-Perm-Example. Elaborate-Perm-Example. Unix-File-Permission-Table. Even though I give them for this particular system / OS, OpenVMS, OS/400, VM/CSE, and most other operating systems all have file system protection schemes. Microsoft didn't wait for them with the NTFS file system. But even before you get to how these would protect you from getting infected with a binary for your particular system because it comes down in a form where it cannot be run because the execute bit is not set just keep one more thing in mind. You are probably not going to get it anyway. Instead, the hackers are going to send you a link to a Windows binary that depends on an IE flaw or something else similar on Microsoft Windows. So when your Chrome, Firefox, Opera, or Safari browser on Linux, Macintosh, or Unix sees it the browser would just say "Huh? What do you want me to do with this exe thing?" I tell the browser to download them into the usual - a folder that is named /tmp/Quarantine. I then feed it to ClamAV and I am still keeping a back-end channel open although very little goes in it any more for the AV companies. But it is there to help them to detect new threats as I encounter them.
Thursday, April 28, 2011
I think I better make this a little bit more clear even though it really is an extension of the last post about using email safely. I see RSA being hacked into, then Oak Ridge Laboratory with something some people are calling "Advanced Persistent Threat (APT)". There are sure fire ways to increase your odds of not falling prey to APT. They are almost in reverse order of importance but to do that you need to swap numbers one and two. The problem is the first is needed to make the second possible. Here they are: