Login  |  Register  |  Contact

Home Security

Wednesday, November 26, 2008

Our Annual Black Friday/Safe Shopping Post

By Rich

Hard to believe we’ve been around to post this yet a third time, but here you go. Our list of advice for shopping safely online this year; and we even updated it this time:

Yes folks, Black Friday is only days away and the silly season is upon us. As someone born and bred in good old North Jersey (until I could legally escape), land of honey and shopping malls, this is a time so deeply ingrained into my subconscious that I’ve occasionally found myself sleepwalking around the nearest parking lot, looking for our old wood-paneled station wagon.

These days, thanks to the wonder of the Internet, anyone can experience the hustle and bustle of the Paramus malls from the comfort of their own home. And to help keep your shopping experience authentic, there’s no shortage of cheats and thieves ready to yank your painstakingly chosen gifts right out of the virtual trunk of your web browser. Of course they might take your house with them, which, even in Jersey (despite the legends) is somewhat rare.

In the spirit of safe and happy holidays, Securosis presents our top 6 tips for safe online shopping, simply presented for the technical or non-technical consumer. Some of these tips also apply to the real world for those of you who just can’t restrain the draw to the mall. Spread the fun, and feel free to post your own tips in the comments.

  1. Use a dedicated credit card, temporary credit card number, or PayPal account for holiday shopping. Our first tip is also useful for the physical world- still the origin of most credit card fraud. Take your card with the lowest limit and use it exclusively for holiday shopping. Use one you can monitor online, and check the activity daily through the holidays (weekly at a minimum). Make sure it isn’t a debit card, and turn off any automatic payments (so you can dispute any charges before making payments). Keep tracking activity at least weekly for 12 months after the holidays are over, or cancel the card. DON”T USE A DEBIT CARD!!! These don’t have the same protections as credit cards, and you’re responsible for fraudulent charges. As for temporary credit cards or PayPal, read on to our second tip.
  2. Only use credit cards at major online retailers; use a PayPal debit account or temporary credit card for smaller shops . Sure, you might get a better deal from Billy-Bobs-Bait-Shop-And-Diamond-Wholesaler.com, but many smaller retailers don’t follow appropriate security practices. Those hosted with a major service are often okay, but few consumers really want to check the pedigree for specialty shops. Instead, create a dedicated PayPal account that’s not linked to any of your bank accounts or credit cards. Credit it with as much cash as you think you need and use it for those riskier online payments. Worst case, you only lose what’s in that account, and you can easily cancel it anytime. Another option, depending on your credit card company, is a temporary credit card number for online shopping. These are single use, or single retailer/session numbers that can’t be used again or leveraged to run up your account. Charges still appear on your same bill and are tied to your main credit card account. Check with your credit card company to see if they offer this service, but most of the major card issuers have it as an option. I like these better than account passwords (e.g. Verified by Visa and Mastercard SecureCode) since they work everywhere, and you don’t have to worry about anyone sniffing them.
  3. Never, ever, ever ,ever click on ANYTHING in email. It doesn’t matter if your best friend sent you a really good deal in email. It doesn’t matter if it’s your favorite retailer and you’ve always gotten email offers from them. Repeat after me, “I will never click on anything in email.” No special offers. No Ebay member to member emails. No “fraud alerts” to check your account. No nothing. Ever. Nada. Attackers are getting more and more refined in their attacks, some of which are very hard to distinguish from legitimate emails. Spam waves over the holidays are expected to break records this year. When you see an interesting offer in email, and it’s a business you want to deal with, just open your web browser, type in the address manually, and browse to the item, offer, or account area. Email is the single biggest source of online fraud; never click on anything in email!
  4. Update your browser- use Firefox 3.1, IE 7 or 8, Safari 3.2.1, or Opera 9.6. Turn on the highest security settings. Over the past few months or so we’ve seen big updates of all the major browsers to include enhanced security features. Since the Safari update last week, all major browsers include features to help detect fraudulent sites- if you see a warning, shut down the browser and don’t go back to that site. All of these browsers will ask you before installing any software when you visit a site; when shopping, never allow the site to install anything. Either it’s a fraud or they don’t deserve your business. Pay particular attention to plugins to watch video, or free games unless you know it’s a trusted site (both are usually trojans). Most browsers now install with security enabled by default, so we won’t be providing detailed instructions here. Just download them. Now. Then come back and read the rest of this list. We’ll wait.
  5. Download and install NoScript for Firefox. This is a free plugin for Firefox that blocks anything from running in your browser that you don’t allow (like Javascript, Flash, and so on). You won’t need it if you just stick with Amazon, but if you use Google to help you find that can’t-miss Drink-With-Me Elmo, you shouldn’t be trolling the Internet without it. If you don’t want it bothering you all the time, at least use it during your holiday shopping and turn it off later.
  6. Keep your antivirus, firewall, antispam, and anti-spyware up to date. I don’t really care which product you use (and truth be told, we don’t really like most of the commercial ones, and don’t use them on our Macs) but as bad as some of these perform they really are essential on a PC. All users, regardless of platform, should use an email service that includes antivirus and antiphishing. For Windows users, Windows Defender is a good, free additional tool to limit spyware. Right now there’s no known spyware for Macs, unless you’re stupid and start manually downloading things.

These six simple steps won’t stop all fraud, but will significantly reduce both the chances you’ll be a victim, and the damage if you are. Feel free to email them to your friends and family who won’t normally browse a security site like this one.


Tuesday, August 19, 2008

Control Your Identity

By Rich

One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer’s, “Satan is on My Friends List”. Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it.

In my case it wasn’t that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that’s not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren’t really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing.

I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you’ve sent me a link request because you read the blog or listen to the podcast, and I haven’t responded, that’s why. Otherwise it loses any usefulness as a tool for me.

One of Shawn’s recommendations for protecting yourself is to build a profile, even if you don’t actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it’s easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that’s worth.

One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven’t really stayed in touch with many people from high school days; in my mind’s eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we’re not all that old, but at 37 we’re far past any reasonable definition of youth.

Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive.


Wednesday, June 11, 2008

There Are No Safe Web Sites

By Rich

I spend a reasonable amount of time writing security articles for the consumer audience over at TidBITS, never mind this site. When I talk about browser security, one of my top tips is to avoid risky behavior and “those” sites. Although that’s pretty standard advice, it’s become a load of bollocks, and I can no longer give it in good conscience.

I spend a lot of time these days focusing on web application security and talking with some of the leading web app researchers like Rnake and Jeremiah Grossman. It’s increasingly obvious that a combination of cross site scripting and some more nefarious web app attacks are destroying the concept of “safe” websites. We’ve seen everything from banks, to security vendors, to advertising servers, to major providers like Google and Yahoo, fall victim to attacks where malicious content is embedded or executed in the context of the trusted sites. PayPal may make a big deal about extended validation digital certificates and colorful anti-phishing banners, yet an EV cert doesn’t do squat if the bad guy sneaks in a little malicious JavaScript and you’ve now run the nasty code in a trusted context.

Today, Dark Reading ran an article on some major security sites with cross site scripting vulnerabilities. Combined with a few beers with Rsnake last week, it pushed me over the edge.

These days, it’s hard to call any site trusted. Thats one reason I’ve shifted to my multi-browser/multi-operating system strategy. Realistically, I can’t tell everyone in the world to adopt my level of paranoia. In part because as bad as things are, most people aren’t suffering real damage because of it. That said, it strongly emphasizes the need not only to keep your system up to date, but to at least split browsers for financial vs. regular sites.

It also strongly points to the need to change the fundamental trust model of browsers, and to push us in the security industry towards solutions like ADMP and browser session virtualization (or better yet, a combination of both).

This isn’t a “the world is ending” post. It’s merely a recognition that “safe” browsing is only a partial security control these days, and one that’s losing effectiveness. We need to think about adopting new strategies before we start seeing more mass exploitation leveraging commonly trusted sites. One that transcends current browser trust models, which do little but make life easier for the smart attackers who take advantage of them.

Oh yeah, and stop wasting money on EV certs.


Monday, June 09, 2008

New Identity Theft Stats

By Rich

One of my biggest annoyances in the industry is the lack of good metrics for making informed decisions, and the overuse of crappy metrics (like ROI) that drive poor decisions. Of those valid metrics that wistfully dance with rainbows, unicorns, and pony-unicorns in my happiest dreams, those that correlate real-world fraud with real-world incidents stand alone on the peak of the rainbow bridge to metrics nirvana. I’ve written about our need for fraud statistics, not breach statistics, but often feel like I’m just banging my head against the hard, thick walls of big money.

Thanks to Debix, today there’s a bit of rainbow light at the end of the turn el (have I killed that analogy yet? Really? Even with the unicorns?). As many of you know, since they sponsored a contest here at Securosis, Debix is an identity theft prevention company. They place credit locks with the credit agencies for you, and route all new account requests through their call center for routing to you for approval or disapproval.

Today they released some very interesting statistics. Since they pass a lot of credit query traffic through their call center, they closely track new account fraud attempts against their client base. Many of their clients enroll as a protective measure after data breaches, so for those customers they an also track at least of the breach origins (nothing says that’s the only time they’ve been a victim). Some of this information is based on my briefing with them, and is not available in the report.

  • According to this report from the Identity Theft Resource Center, new credit account fraud is 57% of financial identity theft.
  • Many of the 259,761 accounts included in the study were the result of major incidents involving lost backup tapes.
  • There were 30,618 authorization attempts for new credit lines.
  • Of those, 380 were fraudulent (and stopped).
  • There were 4 incidents of new account creation that circumvented the Debix controls (all detailed in the report).

This gives us a bit of meat to work with. The fraud rate is about 1.25% of new accounts, which is about the average. Since most of the participants were exposed due to lost backup tapes, it shows either that those losses are not resulting in increased fraud, or that the bad guys are holding onto the information for greater than the (public) 1 year of protection.

Debix also added a new feature recently that may lead to more interesting results. When you decline to open a new account, you have the option to immediately route your case to a private investigator on their staff, who collects the information and engages law enforcement. While I doubt we’ll get hard numbers out of that, we might get some good anecdotes on the fraud origins.

On our call Debix committed to providing more statistics down the road (all anonymized of course). We gave them a few suggestions, including some ways to add controls to their analysis, and I’m really looking forward to seeing what numbers pop out in the coming years. Ideally we’ll see more stats like this coming out of the credit agencies and financial institutions, but I’m not holding my breath.

(Full disclosure: I have no business relationship with Debix, but am currently enrolled with them with a free press/pundit account).


Tuesday, March 18, 2008

Do Mac Users Need Antivirus?

By Rich

I just published an article on TidBITS on this very issue.

Basically, I don’t think the average Mac user needs it yet. AV comes at a performance cost that isn’t justified by the risks it addresses. It isn’t that Macs are more secure than Windows- it’s that they aren’t as big a target yet, and I’m not convinced that desktop antivirus will help much once Mac malware really starts proliferating.

If you are a lone Mac in a Windows environment you might need to install it to protect your Windows brethren (don’t be the vector that infects them – sending viruses you don’t even notice is not nice), and if you go to a lot of risky places you should consider it.

For the record, I don’t use AV on Mac or Vista, but I do use it on XP.

And if Apple is smart, they can finish off the Leopard security features and harden the platform enough that it won’t be as easy a target even as market share rises.

(I was amused reading the Slashdot comments, which I usually ignore. I don’t mind the criticism, but at least read the fricking article, guys).


p style=”text-align:right;font-size:10px;”>Technorati Tags: , ,


Thursday, January 10, 2008

Why You Shouldn’t Run An Open Wireless Network Like Bruce (Or Chuck Norris)

By Rich

Bruce Schneier is one of the more venerated figures in the information security world, and rightfully so. But reading his article in Wired today, I think he might want to stick to encryption. (I know and like Bruce, so this isn’t a personal attack.)

Bruce has long bragged that he runs a totally open home wireless network. He considers it a kind of “pay it forward” charity. I love open WiFi and don’t have a problem with free access. Someday I might even open up part of my own network, although it’s probably not worth it considering where I live.

Bruce breaks the potential security risks down into two categories:

  1. Somebody abusing his network for illegal activity- spam, file sharing, attacking other systems, and so on.
  2. Connecting to his network and attacking his home systems.

He evaluates these risks as acceptable:

  1. Odds are a bad guy will use one of the five open, anonymous coffee shops down the street rather than parking in front of his house for (probably) hours on end. By saying that he instantly guarantees that some prankster will park their VW van out front and spam everyone from “Bruce Schneier’s House”. Perhaps not, but he does accurately outline the potential legal risks.
  2. In his own words, “I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.”

While these risks might be acceptable to Bruce, I don’t recommend them for anyone else, including myself.

  1. Depending on population density, your risk of abuse of an open network may be higher. I could open part of my network in my current location without much worry, but I’ve previously lived in places where the pedophile living below me would take advantage of an open network. That’s not an exaggeration- for most of the time I lived in a particular condo in Boulder the person below me was known for risky activity. Never convicted, but concerning enough I sure as hell wouldn’t want him on my network. The risk of the RIAA going after you might also be higher if you live someplace with enough close neighbors that it’s worth someone’s effort to use your network to mask their activity. It’s a low risk for me where I am now, but has been high in the past.
  2. Very few people have the skills to secure their home network to the same degree as Bruce. I also suspect his network wouldn’t withstand a penetration test by a determined attacker. My home network is very secure; all systems are patched, firewalls turned on, and trust relationships are minimal. That said, I know I could crack it. I don’t encrypt all traffic (wireless is all WPA2 though) and I have some open file shares. Why? Because it’s “secure enough” for my home, and anything that leaves the walls and connects through the public Internet is totally locked down. In some cases, thanks to my consumer devices, I’m limited in the amount of security I can apply.

I wouldn’t make a big deal out of this, but Bruce is a role model to those interested in security. I can guarantee at least a few people will open up their networks to emulate Bruce, and be the worse for wear because of it.

He also mentions the risk of violating his ISP’s terms of service:

Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP.

To give the press quote, if Bruce is doing this himself it looks like he has appropriately evaluated his personal risks and they are within his personal tolerance. If he’s recommending this to others, that’s just plain stupid.

I’ve thought about opening my own access up via a separate, segregated segment, but it’s not worth the effort since almost no one around me would need it.

Don’t follow Bruce’s example- he’s an industry pundit making a point. If you want to open up your wireless network, and are comfortable violating the terms of agreement with your ISP, please use a well-segregated open access point. Don’t just let anyone wander around and see what’s on your TiVo (since all TiVos have an open web server you can’t lock down without hacking, it ain’t that unusual a risk).

Oh, and the Chuck Norris thing?


Friday, January 04, 2008

Ask Securosis: Logging Home Router Firewall Activity

By Rich

Our first question comes from Tom, who is security minded but not a full-on security geek:

“In my Dlink 4300 there is functionality to log fire wall rules to a outside logging server (I’ve seen this functionality in my old WRT54G’s as well). At the same time Linux has logging functionality that you can setup to receive outside log messages. How do I get my dlink/linksys/brand X router to talk to my Linux at server and log all of the messages?

Looking at firewall logs is a great way to get your feet wet with security. For the home user I’m not convinced it adds a lot of security, but it will be extremely educational. It won’t take long before you drop Wireshark onto your network and really start digging into traffic.

The D-Link outputs logs using syslog to any compatible syslog server. The exact configuration will vary depending on your internal network structure and which version of Linux you are using, but here’s a general overview to get it running. A number of home routers/wireless access points support this functionality.

  1. Set up your Linux server
  2. Start syslogd, and make sure it’s configured to run on startup (“chkconfig --list syslog”?).
  3. You will probably need to adjust your syslogd configuration file before it will work properly- this varies based on which version you’re running, but a quick Google search should give you what you need; likely you need to add “-r” somewhere (/etc/sysconfig/syslog on Red Hat based systems). Wikipedia is a good place to start.
  4. If you have a firewall on your Linux box, make sure UDP port 514 is open to your home network (/etc/sysconfig/iptables on Red Hat based systems).
  5. On your D-Link router, go into DHCP settings and assign a permanent address to your Linux server. Otherwise, its IP address will probably change when it reboots. You’ll probably need the MAC address of your Linux server, which you can get by running ifconfig from a shell. Some D-Links make this really easy and you can lift the address right from the screen where you assign permanent addresses. If it’s not feasible, you might just want to configure your Linux server with a static address – if you do, make sure it’s not in the DHCP scope assigned by your router.
  6. Now, on your router go start logging, and enter the IP address of your Linux box.
  7. Give it a little while, then see if you have any log entries (depending on how your configured things in syslog.conf).

And that should be it! I know this isn’t totally detailed, but it really can vary a lot depending on what you’re running, and I don’t have everything on my end to test it. The most common mistakes are leaving the syslog server on a dynamic IP address, filtering the traffic, and bad syslog configurations.

Pepper adds: You can do all this with a Mac too – I send Linksys WRT54G & AirPort Extreme logs to mine.


Thursday, January 03, 2008

From Monitoring To Prevention: Switching To Debix

By Rich

Credit monitoring services, especially those from the credit agencies themselves, leave a bad taste in my mouth. I find it unconscionable that I need to pay to gain access to personal information on me that affects my life at the deepest levels. In our modern society, a good credit rating is as important for our future safety and stability (and sex, to be honest) as a sharp spear and 20/10 vision were to early man. It sucks, but money makes the world go round and we can’t feed Maslow without it (nor can most of us afford homes without good credit).

I started using credit monitoring services long before identity theft was a big issue. Back then, reports were never free and credit scores weren’t in as wide use. I wasn’t paranoid or prescient, I’d just managed to screw my credit up so badly in college that I wanted to know exactly what I needed to clean up. It would probably still be screwed up if it weren’t for online banking; I’m really bad about using the mail.

When free reports were mandated by the government I kept with the monitoring service for two reasons- to gain access to my credit score, and for identity theft monitoring.

And monitoring is not protection- I may be able to detect new activity on my credit report within 1-3 days, but by that time the damage might be done.

Along comes Debix. The government has mandated that credit services allow consumers to place “locks” on their reports. No, this won’t stop the bank from reporting you as late, but it does mean they can’t open a new account tied to your record without explicit permission. Being a bunch of wimps beholden to big money, the government only mandated they lock (place a “fraud alert” on) your record for 90 days.

For the same price (or less) as credit monitoring, Debix will place a lock on your record and renew it automatically every 90 days. They link the lock to their call center, and when a creditor calls to verify that you really want to open the account the call center routes it to up to three numbers you provide. This has the added advantage of keeping your phone number off your record.

(Full disclosure: I was given a free preview, so I didn’t pay for the service. But it’s cheaper than the credit monitoring service I’m dropping).

Pretty cool- kind of like anti-exploitation for identity theft.

They also insure you and provide a few other features. They are a direct competitor of LifeLock, but LifeLock’s been in the news a bunch here in Phoenix for some… irregularities… that make me uncomfortable with the company.

I do like seeing inquiries on my credit report, but I can get that for free on a quarterly basis rather than needing it instantly. Debix is $4/month cheaper than my monitoring was, and blocks unwanted activity.

I like that.


Monday, December 24, 2007

Your Holiday Family Security Checklist

By Rich

If you read this blog, odds are today and tomorrow you’ll be responsible for “fixing” the computers of your extended family. It’s also a great excuse to get you some much-needed web browsing time if the family conversations get boring. Here’s my (very short) checklist:

  1. Make sure they’re behind some sort of NAT firewall/home router. Anything that keeps them from being directly connected to the Internet. Do a quick check to make sure it isn’t forwarding any ports to internal addresses. A cheap $50 router/wireless access point alone will stop most worm/network attacks. If they don’t have one, you now have a convenient excuse to visit Fry’s Electronics or your local Circuit Buy.
  2. Back up their photos onto an external hard drive or CD/DVD. For many people, nothing else really matters. This should get you out of any idle chit-chat, and no one needs to know you’re reading Slashdot and drinking a beer in the back room. You can milk this one for as long as needed, and it comes across as being more helpful than just watching sports.
  3. Check to see if Windows is updated. If it isn’t, assume they are infected. If they don’t have SP2, buy them a new computer.
  4. Run a quick scan for any obvious spyware/malware. I ask if the computer’s been running slow lately; that’s a good indicator. Otherwise just download one of the free tools and give it a run. If their AV suite is out of date, and they use the computer for more than the most simple of tasks, assume it’s infected. At this point I will usually load up a free suite of tools (AVG Free, whatever anti-spyware is handy, and activate the Windows firewall). This is your time to work on blog entries and maybe Twitter a bit, although if the computer is infected you won’t want to log into any of your accounts. If you need more alone time, stare at the screen and curse occasionally as people walk past. They’ll leave you alone.
  5. If you’re pretty sure it’s infected you have a choice. If the computer is old, tell them to buy a new one (preferably a Mac). If it’s current but blasted, tell them to back up important files and nuke it from orbit. If it’s your parents, back up and nuke it yourself. Send someone to buy you better beer (Stone Arrogant Bastard should do) so you can “concentrate” better.
  6. Tell your father/uncle/father-in-law/whoever to stop going to “those” sites. When they deny it, show them their cookie files. When they still deny it, close the door to the room and open up the web cache. If they still deny it, blame your 4 year-old nephew and suggest a good child psychologist. If they don’t cave at this point, tell them Crazy Uncle Bobby touched you as a kid; maybe it’s his fault.
  7. Turn on their antispam, preferably at the ISP level. This will stop a lot of email viruses.
  8. No matter what, tell them you found terrorist child pornography from gambling sites on their system, and inform them to never click on anything in email. This should keep them out of trouble.

If you just backup the files, do a quick check, and figure out if you need to nuke it or keep it, that’s enough and only takes a few minutes. Feel free to extend as long as needed based on your particular family dynamics.

If your family has Macs, you might need to fake it. They’ll probably catch you.

Me? My immediate family has Macs and my wife’s side is local and I fix things as they happen. The good beer is in the fridge and I intend to fully enjoy a couple days of watching sports and making Lego robots with my nieces and nephew.

Happy Holidays- see ya in a few days.


Wednesday, December 12, 2007

Permanent Link For ipfw Rules

By Rich

Looks like the ipfw rules project that Chris is leading is pretty popular. We’ve set up a permanent link that we’ll redirect to the latest version as we keep refining this thing.

You can find it here.

Thanks again to everyone who has helped on this project:


Tuesday, December 11, 2007

ipfw Rules, v2007/12/12

By reppep

Based on extensive feedback, these rules are now much improved over the initial draft. Thanks, all!

All the versions of this post are getting out of hand, so Rich has provided a permanent URL for the current Leopard ipfw post for future reference. Please use that link, so future visitors get the latest and greatest.


DO NOT USE THESE RULES without customizing them first!

Version: 2007/12/12

For more information, see http://securosis.com/2007/11/15/ipfw-rules/

& http://securosis.com/2007/11/16/ipfw-rules-20071116-revision/#comments

These rules MUST be customized to your requirements.

In particular, if you have a private home network (behind an AirPort

Base Station, Linksys WRT54G, etc.), change “” below to

your private network range; duplicate rules with different ranges, if use use this computer on multiple networks.

Additionally, allow only ports you actually use; block unused ports.

Thanks to:

Rich Mogull http://securosis.com

windexh8er: http://www.slash32.com/


Lee: http://thnetos.wordpress.com/


Chris Pepper http://www.extrapepperoni.com/

Apple (Server Admin is a good way to create an ipfw ruleset)


FreeBSD (where Apple got ipfw) http://www.freebsd.org/

We don’t really want this, but it’s unavoidable on Mac OS X Server, so

document it here (serialnumberd).

100 allow udp from any 626 to any dst-port 626

Let me talk to myself over the loopback.

add 200 allow ip from any to any via lo0

Loopback traffic on a ‘real’ interface is bogus.

add 300 deny log logamount 1000 ip from any to

Block multicast unless you need it.

add 400 deny log logamount 1000 ip from to any in

If we let a conversation begin, let it continue.

Let my clients go!

add 500 allow tcp from any to any out keep-state add 510 allow udp from any to any out keep-state

Block replies, if we don’t recall initiating the conversation.

add 520 deny log tcp from any to any established in

Allow DHCP responses (keep-state can’t handle DHCP broadcasts).

add 600 allow udp from any to any src-port 67 dst-port 68 in

Do you never need fragmented packets?

add 700 deny udp from any to any in frag

Let yourself ping.

add 1000 allow icmp from to any icmptypes 8

Server Admin provides these by default.

add 1100 allow icmp from any to any icmptypes 0 add 1110 allow igmp from any to any

mDNS (Bonjour) from trusted local networks (fill in your own,

preferably non-standard, networks after ‘from’).

For Back to My Mac, you might need this from ‘any’.

add 5000 allow udp from to any dst-port 5353

add 5010 allow udp from 5353 to any dst-port 1024-65535 in

ssh – should be restricted to trusted networks if at all possible; if

open to the Internet, make sure you don’t have “PermitRootLogin yes

in sshd_config (at least use

PermitRootLogin without-password”, please!)

add 5200 allow tcp from any to any dst-port 22

iTunes music sharing

add 5300 allow tcp from to any dst-port 3689


add 5400 allow tcp from to any dst-port 548

HTTP (Apache); HTTPS

add 5500 allow tcp from any to any dst-port 80

add 5510 allow tcp from any to any dst-port 443

L2TP VPN – is this complete?

add 5600 allow udp from any to any dst-port 1701

add 5610 allow esp from any to any

add 5620 allow udp from any to any dst-port 500

add 5630 allow udp from any to any dst-port 4500

iChat: local

add 5700 allow tcp from to any dst-port 5298

add 5710 allow udp from to any dst-port 5298

add 5720 allow udp from to any dst-port 5297,5678

Server Admin SSL (Mac OS X Server only)

add 5800 allow tcp from to any dst-port 311

add 5810 allow tcp from to any dst-port 427

add 5820 allow udp from to any dst-port 427

syslog – uncommon

add 5900 allow udp from to any dst-port 514

ipp (CUPS printing)

add 6000 allow tcp from to any dst-port 631

MTU discovery

add 10000 allow icmp from any to any icmptypes 3

Source quench

add 10100 allow icmp from any to any icmptypes 4

Ping out; accept ping answers.

add 10200 allow icmp from any to any icmptypes 8 out add 10210 allow icmp from any to any icmptypes 0 in

Allow outbound traceroute.

add 10300 allow icmp from any to any icmptypes 11 in

My default policy: log and drop anything that hasn’t matched an allow

rule above

add 65534 deny log logamount 1000 ip from any to any

Hard-coded default allow rule (compiled into Darwin kernel)

add 65535 allow ip from any to any


Thursday, November 15, 2007

ipfw Rules, 2007/11/15 revision

By reppep

Rules revised.

As suggested by windexh8er, here’s a set of ipfw rules to customize for your own Macs or FreeBSD systems. Note that your private home network should have a non-standard IP range, both to support VPN across standard IP ranges, and for improved security, so your personal allow rules don’t match other networks you may find yourself wandering through.

The rules are below, but you’ll probably have an easier time if you download the rule file from http://securosis.com/wp-content/uploads/2007/11/ipfw-securosis.txt.

In WaterRoof, you can import these rules with “Tools > Rules Configuration > Import rules from file..”. To check your ipfw rules, use “sudo ipfw list”. When you’re satisfied with your rules, install them for future reboots with “Tools > Rules Configuration > Save to startup configuration” and “Tools > Startup Script > Install Startup Script”.

# DO NOT USE THESE RULES without customizing them first!
# Version: 2007/11/15

# For more information, see http://securosis.com/2007/11/15/ipfw-rules/

# These rules *MUST* be customized to your requirements.
# In particular, if you have a private home network (behind an AirPort
# Base Station, Linksys WRT54G, etc.), change "" below to
# your private network range.
# Additionally, allow only ports you actually use; other ports should be
# blocked by the ipfw firewall.

# Thanks to:
# Rich Mogull http://securosis.com
# windexh8er: http://www.slash32.com/
# Lee: http://thnetos.wordpress.com/
# Chris Pepper http://www.extrapepperoni.com/
# Apple (Server Admin is a good way to create an ipfw ruleset)
# http://www.apple.com/server/macosx/
# FreeBSD (where Apple got ipfw) http://www.freebsd.org/

# We don't really want this, but it's unavoidable on Mac OS X Server, so
# document it here (serialnumberd)
# 100 allow udp from any 626 to any dst-port 626

# Let me talk to myself over the loopback
add 200 allow ip from any to any via lo0

# Loopback addresses on non-loopback interfaces are bogus
add 300 deny log logamount 1000 ip from any to
add 310 deny log logamount 1000 ip from to any in

# Block multicast if you don't use it
# add 400 deny log ip from to any in

# Accept responses to my client programs
add 500 check-state

# If we let the conversation begin, let it continue
add 600 allow tcp from any to any established

# Let my programs get out.
add 700 allow tcp from any to any out keep-state
add 710 allow udp from any to any out keep-state

# Change this to DENY fragments if you don't need them.
add 800 allow udp from any to any in frag

# Block bogus inbounds that claim they were established
# add 900 deny log tcp from any to any established in

# add 1000 allow icmp from to any icmptypes 8

# Server Admin provides these by default
add 1100 allow icmp from any to any icmptypes 0
add 1110 allow igmp from any to any

# mDNS (Bonjour) from trusted local networks (fill in your own,
# preferably non-standard, networks after 'from')
# For Back to My Mac, you might need this from 'any'
# add 5000 allow udp from to any dst-port 5353
# add 5010 allow udp from 5353 to any dst-port 1024-65535 in

# DNS (note TCP is required, but this one should scare you -- much
# better to only allow packets from your trusted nameservers, if you
# always use the same ones)
add 5100 allow tcp from any to any dst-port 53
add 5110 allow udp from any to any dst-port 53
add 5120 allow tcp from any to any dst-port 53 out keep-state
add 5130 allow udp from any to any dst-port 53 out keep-state

# ssh
add 5200 allow tcp from any to any dst-port 22

# iTunes music sharing
#add 5300 allow tcp from to any dst-port 3689

#add 5400 allow tcp from to any dst-port 548

# HTTP (Apache); HTTPS
# add 5500 allow tcp from any to any dst-port 80
# add 5510 allow tcp from any to any dst-port 443

# add 5600 allow udp from any to any dst-port 1701
# add 5610 allow esp from any to any
# add 5620 allow udp from any to any dst-port 500
# add 5630 allow udp from any to any dst-port 4500

# iChat: local
#add 5700 allow tcp from to any dst-port 5298
#add 5710 allow udp from to any dst-port 5298
#add 5720 allow udp from to any dst-port 5297,5678

# Server Admin SSL (Mac OS X Server only)
# add 5800 allow tcp from to any dst-port 311
# add 5810 allow tcp from to any dst-port 427
# add 5820 allow udp from to any dst-port 427

# syslog
# add 5900 allow udp from to any dst-port 514

# ipp (CUPS printing)

# add 6000 allow tcp from to any dst-port 631

# MTU discovery
add 10000 allow icmp from any to any icmptypes 3

# Source quench
add 10100 allow icmp from any to any icmptypes 4

# Ping out; accept ping answers
add 10200 allow icmp from any to any icmptypes 8 out
add 10210 allow icmp from any to any icmptypes 0 in

# Allow me to traceroute
add 10300 allow icmp from any to any icmptypes 11 in

# My default policy: log and drop anything that hasn't matched an allow
# rule above
add 65534 deny log logamount 1000 ip from any to any

# Hard-coded default allow rule (compiled into Darwin kernel)
add 65535 allow ip from any to any


Tuesday, October 02, 2007

Home Security Tip: Nuke It From Orbit

By Rich

I say we take off and nuke the entire site from orbit. It’s the only way to be sure. -Ripley (Sigourney Weaver) in Aliens

While working at home has some definite advantages, like the Executive Washroom, Executive Kitchen, and Executive HDTV, all this working at home alone can get a little isolating. I realized the other month that I spend more hours every day with my cats than any other human being, including my wife.

Thus I tend to work out of the local coffee shop a day or two a week. Nice place, free WiFi (that I help secure on occasion), and a friendly staff. Today I was talking with one of the employees about her home computer. A while ago I referred her to AVG Free antivirus and had her turn on her Windows firewall. AVG quickly found all sorts of nasties- including, as she put it, “47 things in that quarantine thing called Trojans. What’s that?”

Uh oh. That’s bad.

I warned her that her system, even with AV on it, was probably so compromised that it would be nearly impossible to recover. She asked me how much it would cost to go over and fix it, and I didn’t have the heart to tell her.

Truth is, as most of you professional IT types know, it might be impossible to clean out all the traces of malware from a system compromised like that. I’m damn good at this kind of stuff, yet if it were my computer I’d just nuke it from orbit- wipe the system and start from scratch.

While I have pretty good backups, this can be a bit of a problem for friends and family. Here’s how I go about it on a home system for friends and family:

  1. Copy off all important files to an external drive- USB or hard drive, depending on how much they have.
  2. Wipe the system and reinstall Windows from behind a firewall (a home wireless router is usually good enough, a cable or DSL modem isn’t).
  3. Install all the Windows updates. Read a book or two, especially if you need to install Service Pack 2 on XP.
  4. Install Office (hey, maybe try OpenOffice) and any other applications.
  5. Double check that you have SP2, IE7, and the latest Firefox installed. Install any free security software you want, and enable the Microsoft Malicious Software removal tool and Windows firewall. See Security Mike for more, even though he hasn’t shown me his stuff yet.
  6. Set up their email and such.
  7. Take the drive with all their data on it, and scan it from another computer. Say a Mac with ClamAV installed? I usually scan with two different AV engines, and even then I might warn them not to recover those files.
  8. Restore their files.

This isn’t perfect, but I haven’t had anyone get re-infected yet using this process. Some of the really nasty stuff will hide in data files, but especially if you hold onto the files for a few weeks at least one AV engine will usually catch it. It’s a risk analysis; if they don’t need the files I recommend they trash them. If they really need the stuff we can restore it as carefully as possible and keep an eye on things. If it’s a REALLY bad infection I’ll take the files on my Mac, convert them to plain text or a different file format, then restore them. You do the best you can, and can always nuke it again if needed. In her case, I also recommended she change any bank account passwords and her credit card numbers.

It’s the only way to be sure…


Monday, September 17, 2007

Send Your Friends and Family To

By Rich

Big Bad Mike Rothman over at Security Incite just announced a new program he’s launching next months for consumers. Mike told me about this a while ago, and I think it’s a great idea.

Here’s an excerpt from the announcement that I think summarizes why we need something like this (emphasis added):

If you like it, then it’s too hard The fact is, since you are a security professional, there is a high likelihood that you’ll hate it. It’s intentionally simple. It’s not designed for you. It’s not even Security 101. It’s kind of like Security Kindergarten. It’s secure, but it’s not complicated. Unfortunately the two are not mutually exclusive at this point. The sad truth is that anything too complex isn’t going to get done. I had to intentionally get rid of the buzzwords and vernacular that dominate our security conversations. Soccer Moms don’t care about zombies or IP spoofing. It’s designed for your family and/or your neighbors. Those folks that annoy the crap out of you by asking you to spend your weekends cleaning up the mess they made during the week. Security Mike’s Guide is not about making sure that the world class researchers can’t break into their home networks. It’s about making sure the script kiddie neighbor cutting his teeth doesn’t manage to break into your network and get at your Quicken file. Or find your “private” pictures (ask Vanessa Hudgens about that).

I plan on sending my family his way. We’re all tired of supporting their messed-up PCs and Macs, and I’m more than happy to outsource this to Mike.

He also has a new, family-friendly blog over at http://securitymike.blogspot.com/

(Okay, the Macs all seem to be working fine.)


Friday, September 07, 2007

Consumer Security Tip: Use Multiple Email Accounts To Reduce Fraud And Spam

By Rich

I spend a fair bit of time helping friends and family keep their computers up and running. At the local coffee shop I’m known as “the security guy”, which usually means answering questions about which antivirus software to buy. But some of the best ways to protect yourself don’t involve spending any money, or buying any software.

One of my favorites is to use different email accounts for different contexts. A lot of security pros know this, but it’s not something we have our less technical friends try. Thanks to the ease of webmail, and most mail applications’ support for multiple email accounts, this isn’t all that hard. Keeping things simple, I usually suggest 4-5 different email accounts:

  1. Your permanent address: I have one email account that’s been in active use since 1995. It’s the one I give friends and family, and I don’t use it for anything else. No online purchases, no newsletter subscriptions, nothing but those I know and care about. For a long time I got essentially NO SPAM on this account. Ever. I did make the mistake once of letting a local political party get their hands on it, and they screwed up a mailing and the address leaked to a spam list. Learn from my mistake- have one address you give out for your personal email that you never have to change- e.g. Hotmail, Yahoo, or Gmail, and never use it for anything else.
  2. Your work address: We all have these, and we all use them for personal email. That’s fine, but don’t use it for subscriptions or online purchases.
  3. An address for buying online when you don’t trust the store: Another Gmail/Yahoo/Hotmail address you use for risky online purchases, and nothing else. That way, if a site you use is compromised you can easily change addresses without too much difficulty. These are the smaller online retailers you don’t really know or trust as much as Amazon and Ebay.
  4. An address for trusted retailers: This is your Amazon, Ebay, and Apple address- one you use to buy things from major retailers. This can be the same as your permanent address. Let’s be realistic, I use a few major retail sites and have never had any problems with spam or fraud by letting them use my main address. Yes, it’s a risk if they get breached, but it’s one I’m willing to take for a small group of stores I use more frequently. If you do this, make sure you opt out of any of their marketing emails. This is in your account preferences when you log in.
  5. An address for email subscriptions: This is for newsletters, fora, and other sites where your email might not be private.

I also often use throwaway addresses. These are temporary accounts I set up for high-risk things like certain forum subscriptions and email lists that I know will end up in the hands of spammers.

There’s one kind of address you should never use- the one your ISP (Internet Service Provider) gives you. Not only do these seem to end up on spam lists more often than not, but you may to change your ISP more than you anticipate. If I have to update my address book for someone moving/changing addresses, it’s almost always because they’ve used the email from their ISP. These other services are free and easier to use, so there’s no reason to use an ISP account.

This might seem complicated, but it’s really easy. Just go to one of those services and set up some free accounts. For each one, write down the username and password twice- once on a piece of paper you keep near your computer, the other you keep with your important papers (except your work password). I know most security experts tell you to never write your passwords down, but as long as it’s on paper (not in a file on your computer) and reasonably safe in your home the risk is low (however, don’t do this with bank account passwords!).

Then launch Outlook Express, Mail.app, Eudora, Thunderbird, or whatever email program you use and add these accounts using the instructions from whoever you set up the account with. It usually takes less than a minute, and gives you one place where you can read all your mail.

Personally I have over a dozen accounts, but I’m both paranoid, and like having all my different email lists go to different accounts to make reading them easier. For the rest of you, somewhere between 4-6 accounts can reduce the spam you get, especially on your personal email, and even reduce the chances of fraud.