Die in a fire, you Nigerian shit.

The first symptom, as far as you can tell, is probably a bunch of your friends asking you casually, what the kind of crap is that you’ve been sending them.  It’s only when you ask them to show you the messages they’re referring to that you realize that some Nigerian, Russian, Chinese, (or, for that matter, American, French, Japanese, what-have-you) son of a bitch controls your account and is blasting out garbage to all your friends.

Even more nefariously, a lot of these are plausible-sounding messages, like one I received recently from an email contact purporting to be stranded in Madrid after his wallet, passport, keys, phone, and plane ticket were stolen, begging his friends to call him on a local number for instructions on how to wire some emergency cash.  Frequently, the only thing that gives such messages away at a cursory glance is the piss-poor spelling and grammar used by the scam artists responsible.

This post is sort-of directed at the non-technical people, who maybe don’t check their personal mails all that often.  Yes, it’s confusing, and yes, it’s not fair, and yes it’s hard work.  So are taxes.  If you’re not lucky, not only do all your friends now think you’re an idiot, but all your email has been deleted.

First, see if the mail is still around.  Check the trash and ‘all mail’ links.  Maybe you’re lucky.  Google does not restore deleted mail from backups.

To make sure nobody is able to hack your account again (i.e. with backdoors) go to

https://www.google.com/accounts/ManageAccount?service=mail&hl=en

Under “personal addresses” go to “email addresses” (top right).  Make absolutely sure that any addresses for which password recovery is enabled are only ones you trust.  Otherwise an attacker could just say “hey, I want a password reset sent to my address”.  Smart attackers leave their own addresses there.

To understand how this could have happened, here are some more common ways in which someone can “hack” your gmail account:

• trojan on your PC
• sniffed password (you do use SSL by default, right?  It’s a gmail option to always force SSL)
• sniffer on a shared system (Internet cafe)
• untrusted app
• xss / cookie stealing

Trojans

That is short for “trojan horses”.  These are often self-replicating viruses either downloaded from malicious web sites that were hacked (in some cases you won’t even know, you may be using an older browser like Internet Explorer 6) or via an unpatched Adobe Acrobat, or Flash.  May also come from someone attacking your PC by network, say in an Internet cafe.  You may not see these;  you open up a website like you usually do, but it’s been compromised, and boom, that’s it.  Invisible, annoying.  Or, your laptop/workstation may be attacked remotely, using a security hole in the operating system.

How to deal with them?  Regularly update your browser to the latest version and install operating system security patches.  Make sure you have an up to date virus scanner.  Do regular scans.  Turn on your PC’s firewall (google for Windows firewall or Mac firewall.  Both systems have a semi-decent one built in that will at least give you rudimentary protection.)  Avoid using open wireless networks and visiting sites you don’t know whenever possible.

Sniffed password

You do have a strong password, right?  Strong passwords have

• 8 characters or more
• a mix of upper/lowercase letters
• numbers thrown in
• non-alphanumeric characters (e.g. !, ?)

Use mnemonics to more easily remember passwords (Ih8h@ck3rs!) or pass phrases (actual sentences) if a website / application supports them.

Your password can still be stolen by being “sniffed” — this means that you are logging into Gmail without the connection being encrypted.  Have you bought stuff online and seen the little lock at the bottom of the page?  That means your browser is using encryption to make sure anyone listening in cannot “sniff” your password.  SSL, or “secure socket layer” is that little lock on the web browser.  To enable it by default in gmail, go to settings->general->browser connection.  Set it to ‘always use ssl’

Next, check your applications and make sure there’s only stuff there that you yourself enabled.  Delete anything you didn’t.

Lastly, on your gmail main page, go to google labs (the green erlenmeyer flask icon at the top right next to the “settings” link) and make sure that only labs apps you yourself enabled are active.  Deactivate all others.

Sniffing on a shared system / Internet cafe

Password sniffing is quite difficult when, say, you’re connecting from home.  It is _very_ easy when you are at an Internet cafe.  Wireless connections can be encrypted, via WEP or, better, WPA or WPA2, both supported by almost all wireless cards in laptops.  If a wireless connection requires a password, it’s usually at least somewhat safe.  WEP is not so much safe, but it’s better than nothing.  If you are at an Internet cafe using a common PC, you risk that someone will have installed a piece of software that can “read” whatever password info you type (known as a “keylogger“).  There are ways to ensure that this doesn’t happen (e.g. the system is reinstalled from scratch after each reboot — not so complex) but that is tough.  Your best defense is to buy a small netbook or something and take it with you.

When using an Internet cafe, never click anything that offers to remember password.  When you log out, always clear any stored information, e.g. cache, passwords and cookies.   Here is a link that explains how on various browsers.

Furthermore, most modern browsers have a feature called “private browsing” or some variation thereof.   This means that nothing is stored while you’re online.  Use it.

Untrusted applications

See above with google apps.  Also, when you download software or docs, obviously never run/open anything you do not explicitly trust.  Have a good virus scanner, run it regularly.

Cross-site scripting (XSS) / cookie stealing

Cookies are bits of information that websites use to remember things about you — for example, when you log into amazon and return later, a cookie is what is placed on your PC to let you auto login again.

These can be “stolen” and used to impersonate you, i.e. when you use an Internet cafe system.  To help protect against this, whenever you are done browsing, manually log out of everything, and go to your browser’s “clear history” link (e.g. on Firefox, under tools-> clear recent history).

They can also be stolen while you are online, although that is a bit more complex.  XSS is “cross site scripting”, which basically means that if you have a browser open and visit a trusted site in one window and a malicious site in another window (again, the “malicious” site may just have been hacked and not be aware of it) the guy who has taken over the “bad” site can intercept and steal your session with the “good” site.  This is probably where most google account hacks come from.

To guard against that, when you log into gmail or another service, make sure it’s the only browser window you have open; don’t multitask with several tabs unless it is to visit sites you know are legitimate.

This can all happen even if you take all due precautions, but it is rare.

Also, regarding passwords, make sure you have a STRONG one.  I.e. at least 8 characters, alphanumeric, mixed case, some special symbols thrown in (!?*whatever) and nothing that could be tied to you (name, birthday, etc.)  Use a mnemonic (i.e ilikechinese -> 1l1k3ch!n353!)

A precaution:  back up your email account.  Here are 3 million search results for “gmail backup”.

From my latest victim friend:

Thanks for helping me John – it’s been a fucking nightmare as a freelance writer – I’ve lost so much material!

The same thing can happen with Hotmail, Yahoo!, LinkedIn, Facebook, Plaxo, anywhere you store large amounts of contact info.  Standard precautions apply.  And as always, nothing is foolproof.

Note that a CSIRT doesn’t replace the regular R&D and operations groups, but is a supplementary body, coordinating both preparation for and response to things like information breaches and attacks.

By its very nature, a CSIRT has to have a strong mandate and a lot of authority in an organization; this requires management support, and a lot of it, in addition to a really close and positive relationship with all other teams involved in these activities. Examples of these are the network security organization, various helpdesks, human resources, email administrators and others who may be attached as auxiliaries to a CSIRT.

In order to get this sort of mandate, you will have to coherently demonstrate an overall risks-rewards scenario. So:

• What are the threats to my organization and what will I lose if I do nothing about them?
• What does my organization stand to gain (productivity enhancements, etc.) by dealing with these in an organized manner?

In my experience, the most positive elements of a CSIRT is that it allows coordinated vulnerability management and a coherent, organization-wide process for things like patching systems and updating security software, in addition to being a locus for discussion and cooperation by various technical groups (the Windows server administrators, UNIX, email, network, security, etc.) This sort of collaboration tends to extend beyond the direct focus of the CSIRT’s day-to-day activities.

A few examples of the logic I use:

Simply put, if you don’t do anything, and something goes wrong, the results can vary from your looking stupid to someone going to jail. There’s a fine line between FUD and realistically outlining possible consequences, and IMHO Sarbanes-Oxley has been a bit overused by enthusiastic security people, but I would clearly outline things like data protection laws or past Bad Things happening when organizations suffered attacks (i.e. British Airways losing several thousand workstations to Blaster.)

I think this is a pretty good outline of what it is I’d propose as a CSIRT’s roles and competence. In your case, you might want to play up the final business value a bit more, maybe put numbers on the risk reduction.

If you contact me and ask nicely, I’ll be glad to share the whole thing.

Much of our time was spend developing the individual policies and procedures outlining the IRT’s responsibilities, defining authority and basically selling ourselves to both management and the line teams–an investment that paid off pretty well; by involving everyone closely in what we were doing, we received a lot more cooperation than we could have expected had we just been imposed on the company as a fait accompli. In the end we ended up handling several high profile cases pretty successfully. I’ll be writing more on this topic in the future, but the following is a partial outline of what I see as an IRT’s basic responsibilities:
- threat investigation, categorization and warning/announcement

- vulnerability management (a monthly vulnerability board meeting to discuss these)

- investigation of external attacks, bank-related fraud, phishing, etc.

- internal forensics (e.g. information leaks, sabotage, harassment)

We started out essentially from scratch and within the space of about 6 months had a fully functioning organization. Lesson learned: always handle budget and authority first. Lesson #2: PR is as important as substance. Frequently, PR (i.e. keeping people informed clearly and concisely of threats, vulnerabilities and your activities) IS substance, there’s no reason why you can’t combine the two.

Another thing we figured out is that every CSIRT is a tailor-made affair; even in a large corporation, some massaging and diplomacy is required to exert authority in subsidiary companies — again, involving their staff and management and keeping them informed goes a long way towards fostering acceptance.

A few of the links that got us started:

- CERT and it’s “creating a CSIRT” page:

http://www.cert.org/

http://www.cert.org/csirts/Creating-A-CSIRT.html

- The CMU CSIRT handbook:

http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html

- RFC 2350, Expectations for Computer Security Incident Response:

http://www.ietf.org/rfc/rfc2350.txt