Identifying suspicious mail rules

Over the past few months, we’ve seen a significant increase in the number of highly targeted phishing attacks on schools and businesses which have demonstrated a level of sophistication we’d not encountered previously.

The current modus operandi appears to be:

1. Attacker targets “high-value” person within organisation (for example business manager, principal, accounts payable, CFO, etc)
2. Attacker sends spear-phishing email to target to collect login details
3. Attacker uses credentials to log in as end user, and configures mail-forward on target’s mail account
4. Attacker watches mail flow for weeks or months, searching for high-value opportunities (typically an upcoming large payment)
5. Attacker intercepts payment requests, deleting original email from inbox
6. Attacker replaces payment request with custom crafted email (modified from original), changing payment details to reflect an account the attacker has control of
7. Profit.

As we know, effective anti-spam, anti-phishing solutions can often intercept & address point two, however sometimes these things slip through the cracks. Office 365’s advanced threat protection analytics engine is remarkably effective at identifying this. Similarly, Office 365’s/Azure Security Dashboards and analytics are great at identifying suspicious logins for a user account. Plus, those high-value accounts are all using multi-factor authentication anyway, right?

However, lets assume for a moment that you’ve yet to get that all setup, or you have your suspicions that something may already be in place and you want to check out whether this is an issue… How might you do this?

It turns out, dumping a list of mailbox rules currently in place across your organisation is incredibly simple to do. Take a look at the below Powershell script:


$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
$mailboxes = Get-Mailbox
$results = foreach ($mailbox in $mailboxes) {
Get-InboxRule -Mailbox $mailbox.Alias | Select Enabled,Name,Priority,From,SentTo,CopyToFolder,DeleteMessage,ForwardTo,MarkAsRead,MoveToFolder,RedirectTo,MailboxOwnerId
}

$results | Export-CSV -Path MyInboxRules.csv -NoTypeInformation

This script connects to Office 365, grabs a list of all of your mailboxes, and exports the mailbox rules that are in place to a CSV for you to review. Pay particular attention to the ForwardTo/RedirectTo fields for any external email addresses, or suspicious values.

There are more sophisticated ways to keep an eye on this, and in some ways this is using a hammer to crack a walnut, however it may just be worth running this against your environment and confirming you’re not currently in the midst of a targeted attack. Oh, and don’t forget to enable MFA.

David Moyle Joins the team

We’d like to welcome David Moyle to the team at Catalytic IT as our newest Support Consultant.

David joins us at CatalyticIT after working for the past nine years at a variety of independent and Catholic Education schools throughout WA. Most recently his role was the ICT Technical Manger of a 1300+ student Catholic College that has been continually recognised as an Apple Distinguished School.

David has a strong passion for education and providing a trouble-free technical environment for educators and students.

Outside of CIT hours David is an active volunteer at motorsport rally events.

Moyle, David

Cloud Security – Two Factor Authentication

A dry topic to kick off the year, however one that is very important to those of you who have embraced cloud based services, whether for your personal or business use.

Have you ever considered what would happen if someone were to gain access to your Facebook account?  How about Twitter?  Now consider what happens if someone gains access to your email… You know, the one that you use for every service that you sign up for?  Suddenly an attacker can reset your password for most of your online services and get the password reset notification to that compromised email account.

It might sound a little scary, but the reality is this happens every single day around the world.

The good news is that most of your favourite cloud services have steps that you can follow to minimise the risk by utilising two factor authentication.  Some have it turned on by default…So what is it?

You may have noticed that when you sign up to certain services they ask you to enter your mobile number and then require you to enter a code that you receive via SMS – that’s two factor authentication.  In order for you to log into a service, you need to enter something you know (your username and password) and something you have (the code you just received on your mobile phone).  This is of course a simplification, however it does demonstrate how an attacker would need to take extra steps to then break into a service – they need to compromise your email as well as your mobile phone.

Sure, it might be inconvenient to have to grab your phone when you want to log into a service, however consider the effect on someone trying to compromise your account… Their job just got a whole lot harder (not impossible, just harder).

The great news is most popular services have options to enable this, and many enable it by default.  Here are just a few links to get you started:

 

So why not protect yourself and enable two factor authentication on your most important personal and business accounts?  It’s not a magic bullet, however it does give you a little extra piece of mind that you’re taking the right steps to help protect yourself online.

Apple VPP and Device ID

So as most people who deal with Apple iOS devices will now be aware, as of iOS 9 Apple provided the ability to deploy apps via Device ID as well as via Apple ID. This process is called managed distribution. For the many schools that are dealing with iOS devices in a shared environment, this will improve the process of getting apps on devices and keeping them up to date.

The are some small caveats

◉ Apps must be deployed via a supported MDM solution

◉ Alternatively they can be deployed via the new Apple Configurator 2

◉ The App developer must enable this feature on their App

Apple has had a way to convert apps from VPP codes to managed distribution for a long time. This process has now been been made even easier. You can request apps be converted to managed distribution via specific orders, which means you can stage your conversion based on when devoplers enable this function. The instructions for this are available here: https://support.apple.com/en-au/HT202863

But how do you know if a app is available via managed distribution to Device ID?

The iTunes Store has an API that you can either manually visit a URL to view, or do something programmatically to check this. The general URL is:

http://itunes.apple.com/lookup?id=<appstore_ID_Number>

How do you get the App Store ID number? If you search for the app in question in iTunes, it’s fairly easy. Next to the “Buy” or “Get” button (depending if it’s free or paid) click the chevron (the little downwards arrow) and click “Get Link”. Paste that link somewhere and you’ll see something like

https://itunes.apple.com/us/app/self-service-mobile/id718509958?mt=8

Our ID in this case is 718509958. The app I’ve looked up is JAMF Self Service. Now pop that into the API URL format:

http://itunes.apple.com/lookup?id=718509958

If you drop that URL into a browser, you’ll get a JSON response. To find out if the app supports device-based VPP licensing, the key you’re looking for is

isVppDeviceBasedLicensingEnabled

An app that supports VPP device-based licensing will return a value of true.

This way you can check your already purchased apps to ensure that they will work with this new feature, before getting the codes converted, or before you choose to purchase a app.

Wireless Tips

wifi-297697_1280Wireless networking seems to be something of a mystery to a lot of organisations that we speak with, however more and more it’s becoming a critical part of their infrastructure. If you get it right, you’ll have a rock solid experience comparable to being physically cabled. Get it wrong, and you’ll be cursed to live a life of buffering videos and frustrated staff.

The topic is enormous, however to get started we’d like to cover off a few little tips and tricks that we’ve picked up working with schools on their wireless design.

◉ Think of wireless as a half-duplex medium. Technically researchers have found a way to achieve full duplex communication, however the wireless access point you’re using will not be. Only one device gets to speak at a time, and before the device talks it listens to see if anyone else is already talking. The more devices you have on a radio, the more chance you will try to talk at the same time as another device. If this happens, you’ll both wait for a random period of time and try again.Put simply, more clients per radio will have an exponentially more detrimental affect on your clients. In line with what we’ve seen at schools using multi-media in class, we suggest ensuring you allow 10-20 clients max per radio. In a school this probably means you’re going to be using an access point per classroom.

◉ Restrict the use of 2.4GHz wherever possible as it tends to be a more congested spectrum. Andrew at Revolution WiFi has an excellent perspective on the problem here however in short – you probably want to use 2.4GHz as little as possible – especially if you’re in a space where you have poor wifi neighbours. The use of software programmable radios is an excellent strategy and there are vendors today who allow you to be flexible with your approach to radios (for example use dual-5GHz radios on a single AP). The traditional “fixed 2.4/5Ghz” radio vendors can and do work, but you’re going to be doing an awful lot more tweaking and chances are you’re going to have some AP’s deployed with radios turned off.

◉ Consider cell-sizing as a critical part of your design. Some wireless clients are fairly bright about working out the best signal to use, and you can rely on them to select the radio you want them to. Others are not, and some will hang onto a signal for dear life (iPads are notorious for this) even when that is not what you want them to do. If you design your cell sizes appropriately, you can minimise the chances that the device connects to the “wrong” access point. Just throwing every radio onto max may end up harming your wireless experience more than you might expect.

◉ Reduce the number of SSID’s that you use. Seriously. If you have more than 2 SSID’s, you probably need to check whether you really really need them. Again I’ll point you in the direction of Andrew over at Revolution Wifi to take a look at the SSID overhead calculator. I recently paid a visit to a school that had 7 SSID’s actively broadcasting, and in many spaces around the school had a decent chunk of co-channel interference going on. In one space where they were having plenty of problems, I observed 3 different AP’s sharing the same 2.4GHz channel, with a signal strength that was fine for my device, and 7 SSID’s on each. Using Andrew’s maths, approximately 77% of all airtime was being consumed with beacon frames… No wonder they were having a pretty poor time there!

◉ Do you really need 802.11b? Chances are high that you don’t and so you should disable it. If you have an 802.11b client it’s like having a tractor on a single lane road. Yes it still needs to get from A to B, and it can do so – but everyone else is stuck behind it and gets frustrated at how slow the tractor is moving. You can pick up a USB wireless dongle for about $50 and turn that old device into an MX5.

We’ve seen a number of wireless environments dramatically improved by simply addressing the five points listed above. Of course this is by no means comprehensive and as with all wireless networks, proper design is absolutely crucial to delivering an excellent experience. We’d love to hear some “rules of thumb” or tips and tricks that you’ve employed to eke the best out of your wireless deployment.

Our trip to EduTech 2015

EduTech15

Michael from Catalytic IT were lucky enough to attend the EduTech conference in Brisbane early June, in order to gain a better understanding of the latest educational ICT trends.

The conference began with a visit to the NetBox National Users Group, where we learned about the upcoming changes for v30.  For those of you who are struggling with SNI challenges at the moment, this will be a welcome update.

We also got the opportunity to meet up with some local and interstate schools and get a feel for what they were doing, and the challenges they were actively facing.  We then caught up with our former colleagues (and still partners) Datacom for a catch up and a quiet drink.

Things began in earnest for us on Tuesday as we got the opportunity to listen Eric Mazur discuss his vision for rethinking assessments, as he argued that assessment methodologies in use today do not accurately reflect the skills we want to give our students.  A fascinating insight into his thought process, and certainly some implications for integrators as we look to help implement systems that support peer and self-assessment and more instantaneous feedback.

We also got to take a sneak peek into Design39 – an innovative new style of school (https://sites.google.com/site/design39campus/portrait) and it was fascinating to see the concepts that were embraced when starting from scratch.  We listened to a session by the Dell Security team and picked up some great stats to demonstrate the importance of securing your networks appropriately.  We also got to take a look into the infrastructure and thought process behind the BYO program at Kristen School in Auckland – a very well thought out approach and one we certainly picked up a few tips/tricks that we intend to put to use amongst our schools (particularly the BYO experience).  We rounded off a great day with dinner/drinks with NetBox Blue and Seqta (it was definitely the place to be on Tuesday night!)

Our final day began with an utterly fascinating presentation by Larry Johnson from NMC as he walked us through networks between the generations.  We also got to hear from Paul Lister (Scots College) as he walked through the process of finding the right partner for your school – an approach we thoroughly endorse and the values he espoused (Trust and Accountability) are tenants of any engagement we pursue.  We heard from Kevin Richardson from Immanuel College in Adelaide as he walked us through their approach to BYOT and we were quite impressed with how much they managed to achieve with relatively fewer resources.  It was also quite interesting to listen to Mitch Miller walk through their cloud strategy (they’ve moved pretty much all of their core infrastructure away from the school to Amazon), the hurdles they’ve faced and how they overcame them.

Throughout the conference we made sure we had a chat with suppliers/vendors that we thought had innovative solutions.  New connections were made and we hope to share some innovative solutions that have come from those connections as they occur.  All in all it was a great opportunity to see what others were doing, learn from their mistakes and hopefully help our customers prepare for educational ICT trends.

Meredith Hendry joins Catalytic IT

We’d like to welcome Meredith Hendry to Catalytic IT as our new Business Administrator.

Meredith has a wealth of experience working with small and large companies alike. Her skills and experience will help us with our goal of standing out as leader in providing ICT services.

Meredith will be responsible for all things internal to ensure that we can continue to provide unrivalled customer support. Her experience will enable Catalytic IT to ensure that we have the same internal processes that we strive to achieve for our clients. Her motivation towards excellence and attention to detail will be a great asset and driver to help us continually improve our overall client experience.

Meredith is an avid Brisbane Lions supporter, however we still believe she will be a valuable asset to our team.

2dd031e-2

DEP Now in Australia

Corporate-owned deployments made simple.

The Device Enrollment Program (DEP) provides a fast, streamlined way to deploy your corporate-owned Mac or iOS devices, whether purchased directly from Apple or through participating Apple Authorized Resellers.

• Zero-touch configuration for IT.
• Streamlined setup.
• Wireless supervision.

For further information check out http://www.apple.com/business/dep/
Or if you want some help streamlining your deployment contact us

CryptoLocker – File Screens

*** Please note, this is not a cure for CryptoLocker, it is simply one of a number of steps you can take to protect your school.  Up-to-date Anti-Virus and User Education are the most effective tools at your disposal ***

Catalytic IT have seen a number of schools come up against the dreaded CryptoLocker virus, which has been out in the wild for some time.  As a general rule your best protection is firstly end user education, and secondly the use of a solid centralised AV solution to provide reporting.

In this BYO(D/T/whatever) world, increasingly we see unmanaged or semi-managed devices introduced onto the school network.  We can perform compliance checks to ensure that they have an Anti-Virus program installed, however some vendors are better than others, and we’ve seen machines that claim to be fully protected utterly filled with malware.  Now combine this CryptoLocker infested machine with access to school file shares and you have a recipe for disaster.

A machine that can access school shares, with read/write access, can encrypt those same files and hold you to ransom.  Here’s the kicker: even if you run Anti-Virus on your file server, you won’t be told there’s an infection out there as it’s not actually infecting your files with a virus – it’s simply encrypting them.  If you combine this with encryption on public shares (perhaps in an infrequently accessed location) and relatively short backup windows (say we keep backups for 2 to 3 weeks) it’s entirely conceivable that you won’t be able to restore those encrypted files from backup!

However, there is something you can do (above and beyond making sure your clients have good Anti-Virus and only the access they require).  For a long time, Windows Server has had “File Screen” functionality built-in to the file server role.  We outline a process below to ensure you are notified if CryptoLocker (as we’ve seen it) encrypts those files on your network shares:

Firstly, you need to ensure that your file server can notify you if a file system event occurs that you want to be told about:

1)   Launch the File Server Resource Manager (this usually sits under Control Panel->Administrative Tools-.File Server Resource Manager)

Untitled

 

 

 

 

2)   Right click on File Server Resource Manager (Local) and select “Configure Options”

crypto2

 

 

 

 

3)   Configure the Email Notifications tab of your file server with the appropriate details for your school/company

crypto3

 

 

 

 

 

 

 

4)   Send Test E-mail to ensure that your settings are correct and working as expected.  You should receive a test email.

Now that you have configured e-mail notification on your file server, you need to configure the File Group, which is essentially the string that you’re looking for on the server to let you know that CryptoLocker has crept onto your shares:

5)   Right click on File Screening Management->File Group and select “Create File Group”

crypto5

 

 

 

 

 

 

 

6)   Enter the File Group name as “CryptoLocker” and under “Files to include:” enter “*DECRYPT*.*” then select Add

crypto6

 

 

 

 

 

 

 

7)   Select OK and you now have a File Group

Now that you have created a File Group you will want to create a “File Screen Template”

8)   Right Click on File Screening Management->File Screen Templates and select “Create File Screen Template”

crypto8

 

 

 

 

 

 

9)   In the Settings Tab set your Template Name to whatever you like (i.e. CryptoLocker-Template) and set your screening to Passive Screening, then select CryptoLocker from your file groups below

crypto9

 

 

 

 

 

 

 

10)   Check the “Send e-mail to the following administrators” check box on the E-mail Message tab

crypto10

 

 

 

 

 

 

 

11)   Select the Send warning to event log check box on the Event Log tab:

crypto11

 

 

 

 

 

 

 

12)   Select OK and you have now created your File Screen Template

Finally your last step is to actually apply this template to folders that your staff/students can access.

13)   Right click on File Screening Management->File Screens and select “Create File Screen”

crypto13

 

 

 

 

 

 

14)  Define the path to the shared folder you wish to protect through the Browse button, and choose your newly created template from the drop down list under “Derive properties from this file screen template (recommended)” then select Create

crypto14

 

 

 

 

 

 

 

15)  Repeat this process for each of the shared folders that could be conceivably written to by staff/students
16)  You’re done – from now on you should be notified when a staff member or student with CryptoLocker encrypts a folder on your shared drives

Note: The above process addresses the file names that we have seen, however variants may use different file names, which may require you to modify the file groups regular expression to capture.  As always you should ensure that you rely on multiple approaches to protect your network.

We are pleased to announce that Michael Lester has joined our team at Catalytic IT.

We are pleased to announce that Michael Lester has joined our team at Catalytic IT.

Michael has worked in technology related fields for over 13 years, more recently focusing on ICT use in education, and acting as a business to tech translator.  Michael has worked with a number of leading digital schools, locally, nationally and internationally helping deliver ICT vision through design, planning and the practical application of technology. He has delivered a number of strategic ICT reviews in conjunction with educators, applying this knowledge. Michael is actively working towards an MBA and spends his spare time convincing his wife that studying together can substitute for date nights.

Meet the team

preload preload