Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 15th May 2017, 2:47 PM   #31
NSanity
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 15,855
Default

Quote:
Originally Posted by PabloEscobar View Post
playing with it now.

I wish they used PS jobs tho...
NSanity is offline   Reply With Quote

Join OCAU to remove this ad!
Old 15th May 2017, 2:54 PM   #32
mr626
Member
 
mr626's Avatar
 
Join Date: Jul 2011
Posts: 2,617
Default

Quote:
Originally Posted by dave_dave_dave View Post
Have been running a Crypto Canary (set it up as a honey pot unauthenticated / everyone share) on our network for some time now. Quick and easy to setup with File Server Resource Manager.

https://chrisreinking.com/stop-crypt...res-with-fsrm/
Thanks for this, I might just give that a shot.

Have you ever had it triggered in your org? (or, have you manually tripped it?).
mr626 is offline   Reply With Quote
Old 15th May 2017, 3:37 PM   #33
NSanity
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 15,855
Default

dunno if i like that canary.

it has too many things that its relying on that you might cop a ton of damage before you actually stop it.
NSanity is offline   Reply With Quote
Old 15th May 2017, 3:59 PM   #34
mr626
Member
 
mr626's Avatar
 
Join Date: Jul 2011
Posts: 2,617
Default

Quote:
Originally Posted by NSanity View Post
dunno if i like that canary.

it has too many things that its relying on that you might cop a ton of damage before you actually stop it.
Any other similar setups you'd recommend?

Our patching / security is fairly OK, but I have been looking for this kind of thing as part of the overall picture.
mr626 is offline   Reply With Quote
Old 15th May 2017, 4:01 PM   #35
dave_dave_dave
Member
 
dave_dave_dave's Avatar
 
Join Date: Mar 2004
Location: Gold Coast
Posts: 2,531
Default

Quote:
Originally Posted by mr626 View Post
Thanks for this, I might just give that a shot.

Have you ever had it triggered in your org? (or, have you manually tripped it?).
Never had it triggered, except by me to test it.

Quote:
Originally Posted by NSanity View Post
dunno if i like that canary.

it has too many things that its relying on that you might cop a ton of damage before you actually stop it.
Pretty much. Its a last line of defense / trying to minimize the damage thing and a worst case scenario notification.

I haven't enabled the shutting off of the windows file sharing service, by the time it gets to this its restore from backups anyway.

If something gets past all our spam filtering, firewalls, antivirus, crypto guards, real time auditing and fully patched up systems, its at least nice to know before anyone else.


Just like to add there is also the prevent crypto file extension method as well. But relies on you keeping the extensions up to date and the crypto infection on your network having known extensions. A last line / band-aid solution as well. Probably more server resource intensive.

https://fsrm.experiant.ca/
__________________

\0/
|
/\
Muhammad

Last edited by dave_dave_dave; 15th May 2017 at 4:16 PM.
dave_dave_dave is offline   Reply With Quote
Old 15th May 2017, 4:02 PM   #36
IACSecurity
Member
 
IACSecurity's Avatar
 
Join Date: Jul 2008
Location: ork.sg
Posts: 822
Default

Quote:
Originally Posted by mr626 View Post
Any other similar setups you'd recommend?

Our patching / security is fairly OK, but I have been looking for this kind of thing as part of the overall picture.
Empty network segments, any traffic is malicious or extraneous.
__________________
Wartcom man loves sad donkey
Whatever I say is generally bullshit Trololing. So get over it.
IACSecurity is offline   Reply With Quote
Old 15th May 2017, 6:26 PM   #37
person
Member
 
person's Avatar
 
Join Date: Mar 2003
Location: Brisbane
Posts: 281
Default

Quote:
Originally Posted by mr626 View Post
Any other similar setups you'd recommend?
Not completely similar - but I've been running "PolicyPak LPM" for application whitelisting for the last 6 months now with great success on about 60 computers ... I block Macro's with the same suite (PolicyPak App Manager etc.).

I think a lot of the major AV vendors (Sophos etc) have at least basic whitelisting now... but for us the money was better spent on PolicyPak suite and a basic antivirus (AVIRA), as it solves a lot of problems for the price...

I don't think I could recommend PolicyPak LPM in a MSP environment though - it lacks reporting so far.
person is offline   Reply With Quote
Old 15th May 2017, 8:58 PM   #38
RaZ
Member
 
RaZ's Avatar
 
Join Date: Aug 2001
Location: Melbourne
Posts: 303
Default

wow... I am currently working for a Hospital group, that I had goes at over their servers not being patched - and not saturday and sunday day & night I just spent patching the shit out of everything as most of their 2k8R2 servers had NEVER been patched.

These guys thought this was good as they didn't have so many application issues.

Why? They had been burnt real bad with bad patching in the past.
As it was I had to fix up a java app - used for pay runs mind you, because a setting got active with the patching. Took a bit but I wanted to get paid (Stupid Kronos!)

I wouldn't say they deserved it but would have served them right... so to speak, for not following best practice and advise.
__________________
OCAU.MC Member - Hayabusa 1340
RaZ is offline   Reply With Quote
Old 15th May 2017, 10:07 PM   #39
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,259
Default

Quote:
Originally Posted by RaZ View Post
Why? They had been burnt real bad with bad patching in the past.
As it was I had to fix up a java app - used for pay runs mind you, because a setting got active with the patching. Took a bit but I wanted to get paid (Stupid Kronos!)

I wouldn't say they deserved it but would have served them right... so to speak, for not following best practice and advise.
That discussion gets rehashed regularly around the traps.

General consensus now-a-days, is even with the bad patches, you're better off financially to patch and rollback if required, than not patching.

At least with patching, you get to choose when to do it, and do some testing.
If you're owned, you're going to be patching anyway, on top of repairing the damage done, on a schedule that is not set by you.

I've been told that Kronos is sweaty ball juice as far as "Enterprise Shitware that relies on Outdated stuff" goes, but haven't had the displeasure of working with it myself.
PabloEscobar is offline   Reply With Quote
Old 17th May 2017, 1:11 PM   #40
elvis
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,897
Default

Quote:
Originally Posted by PabloEscobar View Post
That discussion gets rehashed regularly around the traps.

General consensus now-a-days, is even with the bad patches, you're better off financially to patch and rollback if required, than not patching.
Circa 2011: "Should we still test patches?"
http://forums.overclockers.com.au/sh...d.php?t=983059

I fall firmly in the "patch early, patch often, and deal with bad patches instead of hacks/malware/infections" camp. It's a hard sell to slow/dumb/outdated businesses. But in 2017 there are enough headlines appearing on a daily basis now that you've at least got some evidence to support the cause as to why running unpatched software is totally nuts.

Back in 2009-ish I was working for a big finance mob who insisted on full SDLC of patches, meaning critical updates didn't hit production servers for around 6 weeks. I made it very clear that the first time we got hit by a preventable attack, I'd be handing my resignation in and CCing the executive team with a copy of all my emails to senior IT management warning them. Given that their core infrastructure was UNIX, and only their peripheral systems were Windows, there was little excuse to take so long to get security updates onto production servers.

But I'm out of that world now. Recently in my world there's been two very public attacks ("Orange is the New Black" and "Pirates of the Caribbean: Dead Men Tell No Lies" were both stolen from small studios who were outsourced to do certain work on them, and leaked). That's rattled a lot of people in our industry, so the hammer has come down hard to be secure by default. That suits me perfectly fine, as I've been ranting about it for a very long time, and most of the stuff I put in some time ago around patching is already well beyond what the minimum security standards required by our customers are.

We do get bitten by the odd bad patch (in 5 years I can count them on one hand), but it's minor and requires a rollback of a single package, which is easy enough to do thanks to our configuration management tools. And again, it's a tiny price to pay compared to having to own up to being attacked and having your reputation dragged through the mud.
__________________
Play old games with me!
elvis is offline   Reply With Quote
Old 17th May 2017, 2:00 PM   #41
cvidler
Member
 
cvidler's Avatar
 
Join Date: Jun 2001
Location: Canberra
Posts: 10,442
Default

Does no one keep snapshots of their server shares?

Gives you plenty of time to find/kill and restore without having to go back to backups.



And you're using role based access right? or does everyone get read/write to the entire data share?
__________________
We might eviscerate your arguments, but we won't hurt you. Honest! - Lucifers Mentor
⠠⠵
[#]
cvidler is offline   Reply With Quote
Old 17th May 2017, 2:11 PM   #42
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,259
Default

Quote:
Originally Posted by cvidler View Post
Does no one keep snapshots of their server shares?

Gives you plenty of time to find/kill and restore without having to go back to backups.

And you're using role based access right? or does everyone get read/write to the entire data share?
I'm not sure if Wannacry uses any privilege escalation techniques, but in your average windows network, they are pretty trivial.

Some of the ransomware escalates and hoses Volume shadow copies before it encrypts.

All in all, I'd say everyone got off lightly, It could have been much worse.

Using NXDOMAIN as a method of sandbox detection made it very easy to stop before it had spread to far.

It's been a while since we've had a good and proper worm. (ala Nimda/Code Red). people have forgetten how nasty it can get.

/ClevelandBrown.mp4
PabloEscobar is offline   Reply With Quote
Old 17th May 2017, 2:17 PM   #43
cvidler
Member
 
cvidler's Avatar
 
Join Date: Jun 2001
Location: Canberra
Posts: 10,442
Default

Quote:
Originally Posted by PabloEscobar View Post
I'm not sure if Wannacry uses any privilege escalation techniques, but in your average windows network, they are pretty trivial.

Some of the ransomware escalates and hoses Volume shadow copies before it encrypts.
I meant proper snapshots (storage system CoW based), not crummy Windows rubbish.

Not going to have too much luck, if it has to figure out your NAS/SAN vulnerabilities and command set to hose your data. (just don't use HPe, it's self hosing)
__________________
We might eviscerate your arguments, but we won't hurt you. Honest! - Lucifers Mentor
⠠⠵
[#]
cvidler is offline   Reply With Quote
Old 17th May 2017, 2:22 PM   #44
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 22,924
Default

Quote:
Originally Posted by PabloEscobar View Post
I've been told that Kronos is sweaty ball juice as far as "Enterprise Shitware that relies on Outdated stuff" goes, but haven't had the displeasure of working with it myself.
newer versions are much better.
previous versions would only work with version 1.5.somethingorother of java.
newer versions now work with the latest version, but if you don't have java installed it will encourage you to install version 1.7.20.

it's not nearly as bad as the fucking steam heap of shit known as freightmaster.
looktall is offline   Reply With Quote
Old 17th May 2017, 6:53 PM   #45
elvis
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 28,897
Default

Quote:
Originally Posted by cvidler View Post
Does no one keep snapshots of their server shares?
I'd be interested to see real numbers on this, but I'd say snapshots are a minority thing still.

Particularly in small businesses, storage is frequently run at 90%, and snapshots are nothing more than "wasted space that we paid for". I've lost count of the number of places I've worked for in the past where it was almost impossible to get businesses to understand that they needed to shell out for double the storage they actually wanted in production just to stay safe (and not slow down on full/busy file systems either).
__________________
Play old games with me!
elvis is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 6:42 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!