Guides on how to do technology or IT related shenanigans.
- Ransomeware Prevention
- Data Recovery
Ransomware Prevention for Users
Everyone knows about ransomware right? Its a form of malware that's been around for about 3 years now that encrypts all of your files and demands ransom to get them back. Gone are the days where malware simply slows down your computer. Now it costs money. Generally in Bitcoin and to the tune of at least $300 USD and up.
Ok so its obviously scary, but how do you avoid it?
- Use an adblocker.
Ransomware generally ends up on your system one of two ways. Either a fake download/popup/ad or a malicious email (we'll cover email tips later in this post).
The function of an adblocker blocks every ad on a webpage. This speeds up your browsing experience, enhances your privacy, and blocks malicious ads (that attempt to deliver malware and ransomware) from being accessed by your computer.
Brave - Brave is a web browser based on google chrome with a built-in adblocker. It can be enabled or disabled by pressing the lion icon in the screenshot below and turning the "shields" on or off. It works for windows/linux/mac/android/iOS and is the simplest way to block ads.
Ublock Origin - Ublock is an adblocker available for Chrome and Firefox. It has a similar on/off feature like brave. It is not easily installed for mobile so my recommendation would be to use Brave on your mobile device.
- Be more wary of your emails.
Emails are the main way ransomware gets into your system. Its usually a .ZIP file with an "invoice" or "resume" inside. The .ZIP in this case is used to hide these malicious files from your spam filter and antivirus applications.
Additionally you may get emails appearing to be a bill/invoice/resume with a real word/pdf attachment, but when opened you are prompted to "enable" a feature to view the contents or the document claims to be defective. This is ransomeware almost 100% of the time.
Lastly the email may contain similar features to the above, but have a shortened or spoofed link. You can hover over each link in your email to reveal its true destination. If the link and its revealed destination do not match, be sure you do not click in. In the case of shortened links you can scan it with a web service like VirusTotal to reveal and scan its destination.
Its important to be wary of the type of emails listed above even if it is from someone you know or appears to be from a reputable source. When in doubt you can upload the attatchments or links to VirusTotal for free to further ensure you aren't getting yourself into trouble.
-When your computer tells you it has updates, install them.
Imagine you are trying to get some work done and your tells you that it has updates ready to install and ignore it for weeks because you don't feel like not having to wait for Microsoft's blue spinning wheel to take time away from facebook work. DO NOT DO THIS. If your computer says it has updates, install them TODAY or better yet NOW. Updates generally fix problems or contain security fixes that keep your computer safe from ranswomare and other threats. In the case of the "WannaCry" ransomware that was in the news in May of 2017... those 300,000+ systems that were infected were only infected because they did not have their updates installed. The update that would've prevented this was release a full MONTH earlier in April. So as inconvenient as it can be, its worth the time to do it.
So the TL;DR. The quick take away here is the following:
-USE AN ADBLOCKER
-BE SUSPICIOUS OF YOUR EMAILS
-UPDATE YOUR COMPUTER
Thanks for reading!
Recurring Password Changes Hurt Security
Changing passwords regularly is actually a bad security policy believe it or not. All that happens is people use the same password they had before and add a digit or special character at the end.
This teaches bad password hygiene, because it teaches people to do two things they shouldn't be doing:
1- Picking passwords that they can remember.
2- Using predictable patterns to change the password to something "new".
Both of these things increase the chance that someone can guess/bruteforce/infer (in case of password dumps from hacked online services) your password.
Use a password manager. This allows you to create strong and unique passwords for each site/service/login you have that are complex enough to secure your information. The only reason you should need to your password at this point is if you suspect the password has been compromised or you "just feel like it".
My password manager recommendations are:
Free (with paid option) online password manager with apps for android/iOS/windows/mac/chrome. Passwords sync between all your devices. I've personally used LastPass for 4 years now and its a stellar product.
Free open source and saved on your hard drive. You'd obviously want to backup your keepass database in case of hardware failure/corruption/accidental deletion.
PS - You should set a master password for each of these applications that is at least 16 characters and not used elsewhere. You should also secure them using a second factor authenticator like Authy.
Phishing Prevention/Detection User Guide
Phishing email messages, websites, and phone calls are designed to steal money and information. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.
Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.
What does a phishing email message look like?
Here is an example of what a phishing email might look like:
Spelling and bad grammar -Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
- Beware of links in email -If you see a link in a suspicious email message, don't click on it. Rest your mouse (but don't click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address.
Threats and a send of urgency -Have you ever received a threat that your account would be closed if you didn't respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised. For more information, see Watch out for fake alerts.
Spoofing popular websites or companies- Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows. Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered. This is known as “typosquating”. See the below example.
Beware of phishing phone calls
Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license. Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.
Once they've gained your trust, cybercriminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable.
Treat all unsolicited phone calls with skepticism. Do not provide any personal information.
Data Recovery with TestDisk
Testdisk is a free and open source, cross platform tool to recover data from dead drives. This is what I use in-house. Testdisk can read drives that windows cannot. It can also read recently deleted partitions as well as corrupt ones. If testdisk can't recover it than contact drive savers to recover data https://www.drivesaversdatarecovery.com/contact-drivesavers/
-Grab testdisk from their site here - https://www.cgsecurity.org/Download_and_donate.php/testdisk-7.1-WIP.win64.zip
-Now select the drive you wish to recover data from. If the drive doesn't show up in this list you can try to stick it in the freezer for an hour and try again. If it still doesn't show up, contact drivesavers as listed above.
-Next we'll select partition type. Normally its going to be intel/pc, but in some cases you will see EFI. Sometimes depending on how not hosed the drive is it will actually auto detect the partition type. Next you'll go to "analyze".
-From here click quick search. If quick search doesn't find it you'll be presented with the option for "deep scan". Deep scan will take quite some time. You'll want to grab coffee or take a nap should you have to do deep scan.
-Begin the scan. Stop the scan when you see the partition you wish to recover listed.
-You'll then be presented with the following screen giving you options for what partition to recover data from. Highlight it and select list files.
-You can now browse the folder structure and follow the onscreen prompts to copy data from the drive. You should copy the data to a known good drive for obvious reasons.
-Testdisk also has the ability to do partition recovery and repair. Tread lightly here as you can make the drive worse off than it was when you started. I'd see if you can copy the data before going this route. For that information, testdisk has extensive documentation on this. https://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
Checking Open Ports with Shields Up
Ok so say you open a port for a vendor and they claim it isn't open or you just want to test if you did it right. Or say you want to see if you have a port open on your home network and you don't feel like installing nmap. Easy way to test that.
-Open web browser (must be done on client network or server).
-Go to https://www.grc.com/x/ne.dll?bh0bkyd2
-Enter the port you want to check in the text box as shown and then click
-Now if the result is failed and it shows the port as open as shown below, you have successfully determined that the port is open. The reason for the failure is because shields up exists to help you make sure no ports are open which is the opposite of what we are trying to do here :).
-Another function that is handy is to click the button. This will let you know what common ports are open on the customer network. Handy if you're trying to lock stuff down (this only checks the first 1054 ports. You should use something like nmap if you would like to check all of them).
How I Rolled My Own Backup Service With Duplicati
I work for a managed service provider. One of the solutions we offer our clients is offsite backups of their data. We find that folks are more comfortable backing up to our infrastructure than using a 3rd party. For years we used Crashplan's free version and just had all the systems backup to a storage server in our rack here. A combination of Crashplan discontinuing their consumer service along with the fact that we were probably violating their license terms, lead me to look for other solutions. After a few weeks of searching and testing we finally landed on Duplicati.
Duplicati is a free/open-source application that runs on Mac/Linux/Windows that backs up to numerous backends (onedrive, google drive, smb, sftp, ftp). Add end to end encryption and this checked all the boxes for us. So now that we had our solution, we needed to figure out the best way to implement. Our implementation is as follows:
-Clients have Duplicati installed on servers or workstations depending on service level. We work with them to select files they need backed up.
-We use a template to define backup source/destination/encryption password/schedule/retention/email alerts. Email alert documentation can be found HERE.
-The emails go to our CRM and create a ticket under the client.
-To track amount of consumed storage per client I have a powershell script run several times a day on our storage server that simply kicks out the folder names and the size of each folder to a webserver so we can ensure they aren't using more than they are paying for and that it can be checked during our monthly courtesy checkins. Script is run via powershell script HERE
I also have Duplicati setup for a few family members and friends. I have them pick the encryption password so they can be certain I'm not messing with their data. I have it configure to backup to my google drive 2tb account.
To get familiar with Duplicati they have a great getting started guide HERE. This is the info I started with. I found it to be pretty handy to get a foundation of understanding.
Roll Your Own Open-VPN Server
One of my favorite things about selfhosting is the ability to take back control of your data and as a neat side effect increase your privacy in an ever growing world of data mining and complicated EULAs.
A VPN can be super handy for not allowing prying eyes to view what websites you visit or hijack your dns to point you to a malicious copy of an otherwise legit website. This is especially important on open wifi or networks you don't trust.
Using a VPN provider is certainly an option, but then you're simply moving the trust to yet another 3rd party. Some of these are certainly trustworthy , but ultimately its impossible to know for sure what these services are doing with your data.
Below are some handy resources if you want to use a VPN service rather than roll your own.
- Here is a handy thread as well https://twitter.com/evacide/status/974038707081592832
There are a few options to roll your own personal vpn service, but the first step is picking a virtual server provider (VPS) to run your vpn on. You can of course do this on your own home pc/server , but then you're opening your home to the internet which I generally like to avoid. I peronally use Vultr (<------- disclosure this is an affiliate link) for my outside self hosting playground. Their base VPS price ($3.50 per month) is quite reasonable and I've found their service to be reliable.
After you choose your VPS service, you have a few options for what VPN technology to deploy and how you deploy it. We'll dive into each below.
Option 1 (my preference) OPENVPN -
OpenVPN has been around for ages. It is a proven and security audited tech used by many organizations and individuals. There are a few options for deployment here.
-First you'll want to spin up a VPS as listed above. I'd suggest using Ubuntu Server 18.04 LTS as your base OS.
-Login to your server with SSH (putty or mobaxterm) (pick a strong password or better yet use SSH keys and install Fail2Ban (this will ban IPs who try to bruteforce ssh logins on your box and keep it a bit more secure).
-Use the following script for the easiest deployment https://github.com/angristan/openvpn-install (most folks recommend against downloading random bash scripts from the internet and running as root, do not do this unless you know how to read what the script does before deployment). That being said I've used this on numerous occasions and has my blessing. Once you have run this script it will spit out an openvpn config file. Simply download it from your server and import into your openvpn client on windows, iOS, or, android.
-If you want to avoid the scripting deployment route and get your hands dirty I'd suggest this guide. https://blog.ssdnodes.com/blog/tutorial-installing-openvpn-on-ubuntu-16-04/
Option 2 (less wide spread support, but I've used it myself without issue) ALGOVPN-
Algo is a bit more complicated to setup than just using a script, but is still easier than deploying from scratch. It is also a bit harder to setup on your system. The project has been around for a while and the folks there take security seriously. Guide can be found here https://github.com/trailofbits/algo .
In closing. Whatever you decide to do, rolling your own vpn can be a fun afternoon (or even lunch break project) that can help keep you more secure online and learn a bit in the process.
Questions? Comments? Snide remarks? Feel free to spam me using my info on the about page.
MSP Baseline Security Auditing for Onboarding New Clients
Collection of scripts for use in windows domain environment to minimize risk by checking admin groups/ haveibeenpwned/open ports/inactive accounts
-Login to domain controller as domain admin
-Download the following ps1 file
-Open powershell as admin/ nav to folder / run "Set-ExecutionPolicy bypass -force" / then run "_starthere_security_audit_onboarding.ps1". This script will display progress and explanations in terminal as needed so you have an idea of what stage you're in. This script performs a good number of functions and does take some time to run. The script does the following things (this is for transparency, but you should review yourself so you don't go running code from the interwebz you haven't vetted).
-Installs latest version of powershell via chocolatey (this may require a reboot if you run into errors later in the script).
-Installs 7zip via chocolately so we can extract a large 7z file later.
-Installs 7zip powershell module to aid in the above . You may be prompted to allow "NUget" or something. Please answer in the affirmative.
-Installs DSInternals powershell module for use later in the script.
-Creates the folder C:\sec-audit. This is where all of the scripts/reports and files will end up when we are done.
-Creates/Sets variable called $working which is C:\sec-audit so script knows where to look for things
-Downloads the following file https://downloads.pwnedpasswords.com/passwords/pwned-passwords-ntlm-ordered-by-count-v4.7z into $working . This is 500million known compromised passwords from haveibeenpwned converted to NTLM hashes that we'll compare against AD to see if they are using known compromised passwords. This is about 9gb and a progress bar will not show. It will take some time.
-Uses 7zip to extract the above file to a txt file in $working. This will have a progress bar. Takes a while
-Downloads script office-365-have-i-been-pwned-check.ps1 into $working.
-Downloads script aduc-bad-pass-check.ps1 into $working.
-Downloads script inactive-user-check.ps1 into $working.
-Downloads script admin-group-checker.ps1 into $working.
-Disables IE Enhanced Security Configuration as it will interfere with our office365 script.
-Launches office-365-have-i-been-pwned script. You'll be prompted for the office365 admin creds for the client. Please enter them. The script will look at all email accounts in the customer tenancy and check them against haveibeenpwned. It will then generate a file called BreachedAccounts.csv and dump it in $working. It will look something like the example below. You do not need to do anything with it yet. I make my csv pretty with excel so yours might look different.
-Next the script will launch the aduc-bad-pass-check.ps1 script from $working. This is where we xreference compromised passwords from haveibeenpwned against customer domain accounts without any data leaving their server. This will take quite some time, but does have a progress bar. This would be a good time to do some other work while you wait. Upon completion a file called Aduc-Compromised-Accounts.txt will be dumped in $working and will look like the example below. This will give you accounts with hashes that are in hibp, accounts with no pw, accounts with passwords that are dictionary words etc.
-Next the script will launch inactive-user-check.ps1 from $working. This will search for any user that hasn't logged on in 90 days or more. It will generate at file in $working called inactive-accounts.txt. You should go through this list and disable any human accounts that haven't logged on in 90 days or more. Please note the "lastlogondate" field to make sure the account actually hasn't logged in for 90+ days so you can avoid disabling someone in error. DO NOT disable accounts that are obvious builtin/service accounts for windows/vendors. When in doubt, please check with customer. Example of inactive-accounts.txt below.
-Lastley the script will launch admin-group-checker.ps1 from $working. This will show you any account contained in any admin group on the server (local or domain). Best practice is to not have any end users be any kind of admin on the domain because if they get/bug ransomware they will have access to everything and that can be VERY bad. Please remove end users from the admin groups. You'll want to consult with the POC for the site to explain that you're doing this and why before pulling the trigger. The script will dump admin-group-report.txt to $working. Example below.
Now you'll have a solid amount of data in $working that will allow you to have a (hopefully) productive conversation with your client or mgr about improving security posture for your/their org.
Troy Hunt/HaveIBeenPwned - This mini project would not be possible if it was not for his service. Seriously donate some dollars to this gentleman.
Michael Grafnetter/DSinternals - DSinternals does lots of the heavy lifting as far as comparing the hibp hashes with ad hashes. Wouldn't be possible without his great work.