What to do when you see a phishing email

The tl;dr summary for those with short attention spans – Don’t open the attachment, be quick to delete anything you’re not sure about, and if you want to help in the fight against phishing, report it using the guidelines I’ve outlined below.

I received a pretty awesome phishing email today. It included a significant attachment that I’m looking forward to analyzing at a later date.

Since it will take me a while before I’ve got the time to run the analysis, I decided I wanted to forward it around to the appropriate organizations to ensure that they take some time and analyze it and make sure other individuals can be protected from it.

It turns out that there are more places to forward this than I expected. So here’s what I’ve found. You can forward the email to these addresses:

You can submit phishing websites to:

Most anti-malware providers are part of the APWG, so definitely make sure you submit there to increase the chances of later defense against the same attack.

Now what happens when you forward the email and you get an error?

Well, some (good) email providers scan email upon sending. In that case, you might not be able to actually email the example for further analysis. In this case you can typically send an encrypted zip file.

To do this, find a way to get the raw message source for the email. (Some help here and here.) Then, save the source as a plain text file using a local text editor. Finally, use a method to zip that text file with password-based encryption (use Google to find steps that will work best for you).

When you send the email, attach the encrypted zip file and explain you attached an encrypted zip file of the suspected phishing email, and include the password you used when zipping it. The password is just there to get past the email server, you don’t want the recipient to not be able to view the message!

Now, pat yourself on the back for helping take a bite out of crime.

Posted December 4 2012

The math behind passwords

We are working with a security policy that treats two passwords of equivalent strength:

  • 8 character password with two character sets represented (pick two of upper/lower/number/symbol)
  • 6 character password with three character sets represented (pick three of upper/lower/number/symbol)

The question arises, how equivalent (or not) are they? Well, it’s time to do some math.

Total Possible Passwords

One way to measure password strength is in the total number of passwords that one might be able to generate that meet that criteria. More would be better. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols available on the average keyboard (totaling 95 options). If we simply asked how many possible 6 character passwords are there, you can multiply 95 for each character that your password is long (i.e. 95 to the 6th power):

Total possible passwords from 95 printable character choices
six characters? 95 x 95 x 95 x 95 x 95 x 95 = 735 billion +
eight characters? 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 = 6.6 quadrillion +

You can see that these aren’t equal – the longer password is clearly stronger. However, there is no accounting for the different character sets that are required – maybe that will make a difference? Read on for more of the math behind passwords. (more…)

Posted November 12 2012

What good documentation looks like

A few years back, I was working as a tech writer for a company which made medical software. We were trying to get an important certification that we’d need to sell our product. And a crucial part of that was good documentation: we had to show how it worked, what it did, how it tracked everything, how it was secure, etc. Well, that’s what you have a tech writer for, so all is good.

It’s important to know, I didn’t have any existing documentation to work with. There was a wiki which had the developers’ notes in it, but that’s it. Nothing by way of formal hand-it-to-an-outside-entity documentation.

Okay, that’s not too abnormal; tech writing is expensive, and many companies don’t bother with it until an auditor is breathing down their neck. Hardly ideal, but to be expected, and I did have time. So, I set to it.

Since there wasn’t any existing documentation to re-do, I based my organization around the expectations set by the certification. And, a good week before the deadline, I turned in the completed documentation, all 100-something pages of it.

And that’s when disaster struck. The auditors decided they wanted the documentation in a completely different format – they weren’t going to read our documentation, no. They wanted us to fill out a questionnaire. The questionnaire was very comprehensive, encompassing exactly as much material as my documentation covered. And I had less than a week to complete it. I told my boss “No problem.” And I gave him the completed questionnaire in 3 days.


Posted March 27 2012

Using a Mac with VMWare vSphere (ESXi) 5

One of the biggest complaints I’ve had with VMWare vSphere and VMWare ESX/ESXi over the last few years is that managing my virtual machines from my Mac computer was a hassle. The VMWare management utilities are all Windows-only, and even the few web-based tools either do not work or are extremely limited from a Mac. While it isn’t perfect yet, VMWare vSphere 5 has made it so you can actually do just about anything you need to using a Macintosh computer; you just need to go through a few hurdles.

To enable the administration of your various virtual machines, storage, clusters, datacenters, and the like, you can now use the vSphere 5 Web Client. Before it can be used, it must be authorized; the best instructions I found for this are here. Follow the steps in the “Authorizing the vSphere Web Client (Server)” section. This is a one-time configuration necessary to enable the vSphere Web Client.

Once authenticated, you will see something that looks very similar to the Windows-based vSphere Client running in your browser.

vSphere Web Client

This will satisfy most of your management needs, but it leaves out an all-important capability; the ability to remotely view the console of the systems. There’s a Console button, but it won’t work on a Mac. Once you’ve installed a machine, you can typically enable some sort of remote desktop capability in the operating system, but what do you do before then? If you’re running Windows, you use the vSphere client and open a console, but on a Mac, you’re out of luck. Right? Wrong.

There is an under-documented feature of vSphere that allows the capability of opening up VNC connections from the host directly to the console of the virtual machine. To perform this, we first have to enable incoming connections to your vSphere server, as vSphere 5 has an integrated firewall. This is the one step you will actually need to use the Windows vSphere Client; everything else can be done using the Web Client. This step needs to be executed once for each vSphere or ESXi host running virtual machines you want to access using VNC.

In the Windows vSphere client, choose the host you wish to enable VNC connections on. Choose the Configuration tab and on the left choose Security Profile. On the right, next to Firewall click Properties… As VMWare does not include VNC as a protocol, it is not listed as an available option. However the ports allowed by the gdbserver protocol will suit our purposes. Check the box next to gdbserver. (It is also wise to highlight the gdbserver line and click the Firewall… button and lock down where you will allow these VNC connections to take place from; in ours I restricted this to our intranet.) Click OK and you’ve now enabled the incoming ports to be used for VNC.

Finally, enabling VNC access to the console machines is a matter of setting advanced configuration parameters on each virtual machine, which can only be done when the virtual machine is off. To open up the advanced configuration:

  • In the Windows vSphere client, choose the machine, click Edit Settings…, click the Options tab, choose Advanced->General on the left, and click Configuration Parameters… on the right.
  • In the Web client, choose the machine, click Edit Settings… under the VM Hardware section, click VM Options, click Advanced, and click Edit Configuration….

In both cases, you now want to add three rows by clicking the Add Row button.

Name Value
RemoteDisplay.vnc.enabled true
RemoteDisplay.vnc.port 5900-5999 are the “standard” ports, choose one different from other VMs on the host.
RemoteDisplay.vnc.password the VNC password used to access the VNC session; only the first 8 characters are encrypted using the VNC protocol, and weakly at that. Don’t rely on this for security.

Once you’ve added these rows and click OK, you can now use a VNC client to connect to the console of the machine. Power up the machine, and then using Finder on the Mac, choose Go->Connect to Server (or hit Command-K), and type the following:

vnc://<ip or name of esxi host>:<port chosen in configuration settings>/

and click Connect. You will be prompted for your password, and depending on your client/version of OSX you may receive a warning about how keystroke encryption is not enabled. Accept the warning, and you will see the console of the virtual machine! (And note, since Macs don’t already use the three-finger salute, you can safely just press Ctrl-Alt-Del in that VNC-window to log into Windows systems!)

Once you’ve installed the operating system of choice, and enabled that OS’ remote desktop capability, you may want to disable this VNC access. Just shut down the VM, go back into the advanced options and change the RemoteDisplay.vnc.enabled setting to false.

Hopefully at some point soon, VMWare will enable a true web-based console application (which doesn’t require host-specific plugins to be installed) to go with their nice new web client. Until then, this is a reasonable workaround for accessing virtual machines using a Mac.

Posted November 29 2011

Snow Leopard to Lion upgrade and Filevault

I recently acquired a new iMac at work to replace the 4yr old one I was using. The new iMac came with Lion on it, and since I had upgraded to Lion on my work machine, I went ahead and upgraded all of my home machines as well. My Macbook Air is my primary “workstation away from work”, and keeps client data. Because it does, I use FileVault on it. Under Snow Leopard, that only encrypted my home directory. Under Lion, FileVault now encrypts the entire drive, not just $HOME. However, if you upgrade, you have to explicitly convert your machine to use the new FileVault. And you need a lot of disk space to do it…

I have a 250 GB SSD drive – not exactly the biggest drive – and I have 11GB of that left. I wasn’t able to upgrade my machine to the new FileVault – until I moved the majority of my data to another computer and practically wiped my drive. I’m sure I’m not the only one in this situation – and generally, backups are not encrypted – Time Machine under Snow Leopard wasn’t, and most other backup options for home use are not either. So you have sensitive data backed up off an encrypted drive, just to “upgrade” to a different disk encryption technology. If I hadn’t upgraded, it wouldn’t have been a problem. If I was content to just leave $HOME encrypted, it wouldn’t have been a problem. But I wanted “bleeding edge”. Luckily, I have an iMac at work to off-load all of the files to – encrypted with Lion’s FileVault from the start.

Posted November 1 2011