Last Updated: 2007-10-15 19:30:34 UTC
by Johannes Ullrich (Version: 1)
I updated and cleaned up a bit our "daily sources" feed. This feed is created around 4am GMT daily, and includes a summary of all the source IPs for which we received reports the prior day.
you can retrieve the feed at http[s]://isc.sans.org/feeds/daily_sources.
The link is not click-able for a reason: its 70MBytes (varies from day to day of course). I recommend a tool like curl/wget to download it once a day. Its usually created around 4am GMT, so pull it at 4:30-5:30am GMT to get it "fresh and warm".
Its a plain tab delimited ASCII file. Comments (e.g. header/footer) are indicated by a '#' as first character. The columns are:
- IP Address (we use our "sortable" 0 padded format... 10.1.100.10 -> 010.001.100.010 ).
- reports (each "packet" counts as one report).
- targets (each distinct target IP reporting this particular source IP / port combination counts as one).
- first seen: the time (UTC) of the first packet we received for this source/port.
- last seen: the time (UTC) for the last packet we received for this source/port.
NOTE! This is not a "blocklist". It needs further processing to be used as such. The data is distributed under a "Creative Commons Share Alike" license. You may use it for non-commercial use for free as long as you attribute DShield or the SANS Internet Storm Center as the source of the data. We always like to hear how our data is used.
Last Updated: 2007-10-15 14:22:22 UTC
by Maarten Van Horenbeeck (Version: 4)
Laptops have made our life much easier. We can now work when we want to, and where we want to – and do a better job. However, INFOSEC practitioners also suffer a bit due to that same advantage. Laptops are much more likely to leave company premises, and are relatively expensive and as such an interesting object for thieves. While the cost of a laptop fleet is significant to organizations, what we are most worried about is the data contained on them.
There are several issues related to laptop security:
- Physical protection of the device;
- Maintaining control over the networks it connects to;
- Preventing malicious code from being introduced in other settings than the “protected office”;
- Preventing leakage of data despite the higher risk of theft.
The risk posed to a laptop can also differ significantly based on location. For example, suppose you use full disk encryption. When you are logged in, such encryption is of little value. In the average American/European environment, we use full disk encryption as a means to gard the data on our device when it is ‘out of sight’. While we are watching the laptop, all data is relatively safe. Is this also valid for our oil executive travelling to Nigeria ?
I’m looking forward to all your ideas, suggestions and comments, and will update the diary continuously when they arrive! Write to us here.
Boris wrote in how he avoids having any data at all on the endpoint. They are inherently prone to theft, and by enabling a connection to the home base and uploading work data there, one can maximally reduce risk of data theft on the endpoint. While this is not possible in all locations (try getting your oil exec a stable connection in areas around Port Harcourt, for example), the increasing availability of internet is making this more of a reality for many companies.
Moving further into the Nigerian plot, Derek proposed using a decoy partition which you can load with a secondary password as a way to avoid leaking data when under duress. He mentions Truecrypt as a great tool to implement this.
Neal had some other great ideas (actually a couple of pages of them, great job and thanks!) Here are a couple of the most interesting ones:
- Always carry a cable and lock for your device;
- When you don't need wireless on a trip, (e.g. during a presentation), disable it. Also ensure that your wireless drivers/software is hardened so you won't make unexpected connections. (editor's note: There is also wireless-specific security software available today to monitor the connections you make or connection attempts others make towards you. This may be overkill in some cases, but it's interesting to know about them);
- System hardening is important (disable autorun, you never know what untrusted material you may need to plug in to "get a presentation copy". Also keep a thumb drive on you which you can write protect to hand things out, and another one they can write to so you can take it with you and use elsewhere after further scrutiny;
- Do not walk through a metal detector until you see your laptop entering the X-Ray machine. Do make sure you don't have anything on you that may delay you further while your machine moves ahead. Mention you want to keep your laptop in sight if this would happen.