Author Archives: Michael Lester

Identifying suspicious mail rules

Over the past few months, we’ve seen a significant increase in the number of highly targeted phishing attacks on schools and businesses which have demonstrated a level of sophistication we’d not encountered previously.

The current modus operandi appears to be:

1. Attacker targets “high-value” person within organisation (for example business manager, principal, accounts payable, CFO, etc)
2. Attacker sends spear-phishing email to target to collect login details
3. Attacker uses credentials to log in as end user, and configures mail-forward on target’s mail account
4. Attacker watches mail flow for weeks or months, searching for high-value opportunities (typically an upcoming large payment)
5. Attacker intercepts payment requests, deleting original email from inbox
6. Attacker replaces payment request with custom crafted email (modified from original), changing payment details to reflect an account the attacker has control of
7. Profit.

As we know, effective anti-spam, anti-phishing solutions can often intercept & address point two, however sometimes these things slip through the cracks. Office 365’s advanced threat protection analytics engine is remarkably effective at identifying this. Similarly, Office 365’s/Azure Security Dashboards and analytics are great at identifying suspicious logins for a user account. Plus, those high-value accounts are all using multi-factor authentication anyway, right?

However, lets assume for a moment that you’ve yet to get that all setup, or you have your suspicions that something may already be in place and you want to check out whether this is an issue… How might you do this?

It turns out, dumping a list of mailbox rules currently in place across your organisation is incredibly simple to do. Take a look at the below Powershell script:


$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
$mailboxes = Get-Mailbox
$results = foreach ($mailbox in $mailboxes) {
Get-InboxRule -Mailbox $mailbox.Alias | Select Enabled,Name,Priority,From,SentTo,CopyToFolder,DeleteMessage,ForwardTo,MarkAsRead,MoveToFolder,RedirectTo,MailboxOwnerId
}

$results | Export-CSV -Path MyInboxRules.csv -NoTypeInformation

This script connects to Office 365, grabs a list of all of your mailboxes, and exports the mailbox rules that are in place to a CSV for you to review. Pay particular attention to the ForwardTo/RedirectTo fields for any external email addresses, or suspicious values.

There are more sophisticated ways to keep an eye on this, and in some ways this is using a hammer to crack a walnut, however it may just be worth running this against your environment and confirming you’re not currently in the midst of a targeted attack. Oh, and don’t forget to enable MFA.

Cloud Security – Two Factor Authentication

A dry topic to kick off the year, however one that is very important to those of you who have embraced cloud based services, whether for your personal or business use.

Have you ever considered what would happen if someone were to gain access to your Facebook account?  How about Twitter?  Now consider what happens if someone gains access to your email… You know, the one that you use for every service that you sign up for?  Suddenly an attacker can reset your password for most of your online services and get the password reset notification to that compromised email account.

It might sound a little scary, but the reality is this happens every single day around the world.

The good news is that most of your favourite cloud services have steps that you can follow to minimise the risk by utilising two factor authentication.  Some have it turned on by default…So what is it?

You may have noticed that when you sign up to certain services they ask you to enter your mobile number and then require you to enter a code that you receive via SMS – that’s two factor authentication.  In order for you to log into a service, you need to enter something you know (your username and password) and something you have (the code you just received on your mobile phone).  This is of course a simplification, however it does demonstrate how an attacker would need to take extra steps to then break into a service – they need to compromise your email as well as your mobile phone.

Sure, it might be inconvenient to have to grab your phone when you want to log into a service, however consider the effect on someone trying to compromise your account… Their job just got a whole lot harder (not impossible, just harder).

The great news is most popular services have options to enable this, and many enable it by default.  Here are just a few links to get you started:

 

So why not protect yourself and enable two factor authentication on your most important personal and business accounts?  It’s not a magic bullet, however it does give you a little extra piece of mind that you’re taking the right steps to help protect yourself online.

Wireless Tips

wifi-297697_1280Wireless networking seems to be something of a mystery to a lot of organisations that we speak with, however more and more it’s becoming a critical part of their infrastructure. If you get it right, you’ll have a rock solid experience comparable to being physically cabled. Get it wrong, and you’ll be cursed to live a life of buffering videos and frustrated staff.

The topic is enormous, however to get started we’d like to cover off a few little tips and tricks that we’ve picked up working with schools on their wireless design.

◉ Think of wireless as a half-duplex medium. Technically researchers have found a way to achieve full duplex communication, however the wireless access point you’re using will not be. Only one device gets to speak at a time, and before the device talks it listens to see if anyone else is already talking. The more devices you have on a radio, the more chance you will try to talk at the same time as another device. If this happens, you’ll both wait for a random period of time and try again.Put simply, more clients per radio will have an exponentially more detrimental affect on your clients. In line with what we’ve seen at schools using multi-media in class, we suggest ensuring you allow 10-20 clients max per radio. In a school this probably means you’re going to be using an access point per classroom.

◉ Restrict the use of 2.4GHz wherever possible as it tends to be a more congested spectrum. Andrew at Revolution WiFi has an excellent perspective on the problem here however in short – you probably want to use 2.4GHz as little as possible – especially if you’re in a space where you have poor wifi neighbours. The use of software programmable radios is an excellent strategy and there are vendors today who allow you to be flexible with your approach to radios (for example use dual-5GHz radios on a single AP). The traditional “fixed 2.4/5Ghz” radio vendors can and do work, but you’re going to be doing an awful lot more tweaking and chances are you’re going to have some AP’s deployed with radios turned off.

◉ Consider cell-sizing as a critical part of your design. Some wireless clients are fairly bright about working out the best signal to use, and you can rely on them to select the radio you want them to. Others are not, and some will hang onto a signal for dear life (iPads are notorious for this) even when that is not what you want them to do. If you design your cell sizes appropriately, you can minimise the chances that the device connects to the “wrong” access point. Just throwing every radio onto max may end up harming your wireless experience more than you might expect.

◉ Reduce the number of SSID’s that you use. Seriously. If you have more than 2 SSID’s, you probably need to check whether you really really need them. Again I’ll point you in the direction of Andrew over at Revolution Wifi to take a look at the SSID overhead calculator. I recently paid a visit to a school that had 7 SSID’s actively broadcasting, and in many spaces around the school had a decent chunk of co-channel interference going on. In one space where they were having plenty of problems, I observed 3 different AP’s sharing the same 2.4GHz channel, with a signal strength that was fine for my device, and 7 SSID’s on each. Using Andrew’s maths, approximately 77% of all airtime was being consumed with beacon frames… No wonder they were having a pretty poor time there!

◉ Do you really need 802.11b? Chances are high that you don’t and so you should disable it. If you have an 802.11b client it’s like having a tractor on a single lane road. Yes it still needs to get from A to B, and it can do so – but everyone else is stuck behind it and gets frustrated at how slow the tractor is moving. You can pick up a USB wireless dongle for about $50 and turn that old device into an MX5.

We’ve seen a number of wireless environments dramatically improved by simply addressing the five points listed above. Of course this is by no means comprehensive and as with all wireless networks, proper design is absolutely crucial to delivering an excellent experience. We’d love to hear some “rules of thumb” or tips and tricks that you’ve employed to eke the best out of your wireless deployment.

CryptoLocker – File Screens

*** Please note, this is not a cure for CryptoLocker, it is simply one of a number of steps you can take to protect your school.  Up-to-date Anti-Virus and User Education are the most effective tools at your disposal ***

Catalytic IT have seen a number of schools come up against the dreaded CryptoLocker virus, which has been out in the wild for some time.  As a general rule your best protection is firstly end user education, and secondly the use of a solid centralised AV solution to provide reporting.

In this BYO(D/T/whatever) world, increasingly we see unmanaged or semi-managed devices introduced onto the school network.  We can perform compliance checks to ensure that they have an Anti-Virus program installed, however some vendors are better than others, and we’ve seen machines that claim to be fully protected utterly filled with malware.  Now combine this CryptoLocker infested machine with access to school file shares and you have a recipe for disaster.

A machine that can access school shares, with read/write access, can encrypt those same files and hold you to ransom.  Here’s the kicker: even if you run Anti-Virus on your file server, you won’t be told there’s an infection out there as it’s not actually infecting your files with a virus – it’s simply encrypting them.  If you combine this with encryption on public shares (perhaps in an infrequently accessed location) and relatively short backup windows (say we keep backups for 2 to 3 weeks) it’s entirely conceivable that you won’t be able to restore those encrypted files from backup!

However, there is something you can do (above and beyond making sure your clients have good Anti-Virus and only the access they require).  For a long time, Windows Server has had “File Screen” functionality built-in to the file server role.  We outline a process below to ensure you are notified if CryptoLocker (as we’ve seen it) encrypts those files on your network shares:

Firstly, you need to ensure that your file server can notify you if a file system event occurs that you want to be told about:

1)   Launch the File Server Resource Manager (this usually sits under Control Panel->Administrative Tools-.File Server Resource Manager)

Untitled

 

 

 

 

2)   Right click on File Server Resource Manager (Local) and select “Configure Options”

crypto2

 

 

 

 

3)   Configure the Email Notifications tab of your file server with the appropriate details for your school/company

crypto3

 

 

 

 

 

 

 

4)   Send Test E-mail to ensure that your settings are correct and working as expected.  You should receive a test email.

Now that you have configured e-mail notification on your file server, you need to configure the File Group, which is essentially the string that you’re looking for on the server to let you know that CryptoLocker has crept onto your shares:

5)   Right click on File Screening Management->File Group and select “Create File Group”

crypto5

 

 

 

 

 

 

 

6)   Enter the File Group name as “CryptoLocker” and under “Files to include:” enter “*DECRYPT*.*” then select Add

crypto6

 

 

 

 

 

 

 

7)   Select OK and you now have a File Group

Now that you have created a File Group you will want to create a “File Screen Template”

8)   Right Click on File Screening Management->File Screen Templates and select “Create File Screen Template”

crypto8

 

 

 

 

 

 

9)   In the Settings Tab set your Template Name to whatever you like (i.e. CryptoLocker-Template) and set your screening to Passive Screening, then select CryptoLocker from your file groups below

crypto9

 

 

 

 

 

 

 

10)   Check the “Send e-mail to the following administrators” check box on the E-mail Message tab

crypto10

 

 

 

 

 

 

 

11)   Select the Send warning to event log check box on the Event Log tab:

crypto11

 

 

 

 

 

 

 

12)   Select OK and you have now created your File Screen Template

Finally your last step is to actually apply this template to folders that your staff/students can access.

13)   Right click on File Screening Management->File Screens and select “Create File Screen”

crypto13

 

 

 

 

 

 

14)  Define the path to the shared folder you wish to protect through the Browse button, and choose your newly created template from the drop down list under “Derive properties from this file screen template (recommended)” then select Create

crypto14

 

 

 

 

 

 

 

15)  Repeat this process for each of the shared folders that could be conceivably written to by staff/students
16)  You’re done – from now on you should be notified when a staff member or student with CryptoLocker encrypts a folder on your shared drives

Note: The above process addresses the file names that we have seen, however variants may use different file names, which may require you to modify the file groups regular expression to capture.  As always you should ensure that you rely on multiple approaches to protect your network.

preload preload