What is your security setup these days?

What was the vector of Crytolocker? Did you ever determine it?

We've seen some Cryto-Like stuff hit people with java drivebys and such.. Old java version?

 

NP Man

 

Win 7 x64: MSE, SAS, MBAM (both on-demand), SpywareBlaster, browser hardening. Ubuntu: browser hardening (NoScript, ABE, WOT). Android: None.

 

Thanks I keep it simple.

 

I will give it a look. Thanks Wat.

 

New setup.. I dropped the USG210 off (overkill), and returned it to where I work, swapped it out with the USG60 NGFW. Now I am setup with;

Network:
Motorola DOCSIS 3.0 Modem
ASUS RT-AC87R Wireless (in AP Mode only)
Various 8 Port Gbe jumbo packet switches. (non-green mode devices)

Network Security:
ZyXEL USG60 NGFW Layer-7 UTM- Full AV/URL/IPS enabled.
Untangle v11 Layer-7 - Full AV/Adblock/Intrusion Prevention. (transparent bridge mode on a Dual Core 2.66ghz)

Failover:
4G LTE USB Hotspot (plugged into ZyXEL)

Backup:
3x CyberPower CP1500AVRLCD

Power Conditioning:(whole house surge suppression/power conditioner)
PU1200 KVAR

Desktops/Laptops:
Norton 2015
Kerish Doctor
uBlock
HTTPS Everywhere

Servers:
Appguard (full lockdown)

People may balk at me using the most powerful WiFi router in the world as an AP. I find it frustrating I can't use it's security features in AP-Only mode myself. But consider that it's better than $500-$1000 Enterprise AP's, and you realize it's a bargain at $290.00...

This may be the most secure setup here because of the layered layer-7 UTMs and blended protection it provides. Covering a wide range of malware, exploits, and malicious websites. The network has layered Kaspersky UTM and ClamAV UTM, combined with double intrusion protection, and 2 stage URL filtration. Latency hasn't been increased with this setup, and the speed tests out perfectly with leveled network strength. I'm re-wiring the entire sever room this weekend with Cat6 (550mhz)to future proof it, and to improve shielding.

I've been debating on going with Sophos UTM9 vs Untangle. But Sophos is a pita, even in transparent mode because it is so heavy on protection/blocking that it blocks normal things like SmartTV's and VOIPs. But it offers free - Avira+Sophos dual scanning engine on the network. However it offers no adblocking whatsoever, and given Untangle blocks on average, 3,000 advertisements a day at the network level - it's probably a better solution - and it just WORKS. If there is a way I can improve this network I will, but so far I think I have it covered.

Edit: I just ordered another refurb dual core box, and will attempt the impossible this coming weekend. Triple UTM with two of them in transparent mode, chained together. It may fail miserably, or set a new standard in insanity for Wilders.

 

After a long while I finally did a major security overhaul.

Network:

Buffalo Wireless N router running open-wrt
Untangle UTM - This is the actually router the Buffalo is set as a dumb Access Point and doesn't do anything else.

Network Security:

WiFi - WPA2-CCMP
Raspberry Pi running Kismet and alerts me if something weird is going on (potential Rogue AP).
Second Raspberry Pi running a custom script that alerts me any time a new device connects to my network.
Untangle Router is running Snort IDS and AV on top of the normal firewall. Also blocks all P2P traffic and "shady" sites.


Failover:
4G LTE WiFi router


Desktops/Laptops:
Laptop #1: Debian Linux hardened with GRSecurity and RBAC.
Laptop #2: OpenSuse hardened with GRSecurity and RBAC.
Airgap: Debian Linux hardened with GRSecurity and RBAC with all network disabled in the kernel and physically. Battery powered to prevent powerline attacks, stored in a secure location to limit access.

Web browser: Chromium with uBlock, HTTPS Everywhere, JavaScript disabled by default.

Encryption: LUKS AES-256-XTS for all computers. Also use Tomb for encrypted volumes.


Servers:
All of my local servers are ran on one machine, I use KVM to virtualize them. Most are protected with SeLinux/Apparmor. My severs are local only and can't connect out over the WAN so I am not to worried about them being attacked. The VM's are turned off when I am not using them too.

 

@Mayahana
I see that you have good network security set up. Probably so good that I don't believe Norton 2015 is bringing anything to the table.
Did you consider installing some kind of white listing solution (anti-exe, HIPS) on your desktops instead of AV?

 

Regarding Kerish Doctor, I was under the impression from some of your previous posts that you were very iffy when it came to Russian software (and from China as well)? Or was that more for your workplace equipment?

 

Emsisoft Anti-Malware.

 

Desktop setup (Windows 7 Ultimate 32 bits)
- Recovery: Weekly Windows Image and Syncback Free data backup to NAS and USB-disk
- Hardening: Windows Firewall (also blocking outbound), GPO (disabled risk-ware/autoruns)
- Whitelist: UAC (block elevation of unsigned), SRP (default deny basic user, allow admin)
- Mitigation: EMET (+block jscript/vbscript in Office), µBlock (+block 3rd scripts/iframes)
- Blacklist: Norton DNS, Chrome (safe browsing), Linkscanner (scripts), µBlock (easylist)

 

Ditched Online Armor Firewall for Comodo Firewall.
Online Armor is a good firewall, but not great when it comes to usability for me, also too many exploits passed through it in my private testing.
But it was compatible with Emet 5.

Comodo Firewall on the other hand is a bit buggy too (Cis tray doesn't start up automatically), but thankfully i found a fix in their forums.
although its no excuse for Comodo to release a "stable" product which is unusable without a registry fix.
Sadly Emet 5 became unusable with Comodo firewall.

 

Great setup!

I'm staging for three Layer-7 UTM's in parallel this weekend - should be interesting if I can pull it off with creative forwarding/routing/policies. I just rewired my entire network to Cat 6a last night to get ready, and replaced one of the switched with a rack mount 16 port Gbe with Jumbo Frame Capability.

That's 4 AV engines at the network level, 3 of them free. (Kaspersky, Clam, Avira, Sophos) with multi-layer intrusion/shielding, and 3 layer deep URL inspection. If I can keep the latency down to sub 2ms. Right now it's Sub 1ms with 2 of them online.

 

Yeah, no question that if something doesn't play well with SBIE, it's that something that has to go, not SBIE. It's the only thing keeping me from adding MBAE Premium to my setup right now.

 

Thats exactly what I do. About 4 months ago, after doing a factory reset in my W7, I found Libre Office portable giving me some kind of error, at the time, I did not want to spend the time figuring out why this version was not working under SBIE as the little older version that I had been using before the Reset.

So I just installed something else. This something else was Kingston which I didn't like much for different reasons. A few days ago, while in Shadow mode, I decided to check if the latest Libre was working better with Sandboxie and to my delight, I found it working great. After getting out of Shadow mode, I uninstalled Kingston and went back to Libre.

Bo

 

Why run SBIE when you can run a VM/VBox and be done with it? Virtualize everything, then share folders you want to share like in ESXI.

This seems like it would be much more compatible, and far less headaches then using SBIE.

 

Hi Mayahana. Using Sandboxie is not a headache, you should try it sometime. The convenience that you get with SBIE is unmatched. Virtual machines don't come close. By the way, most programs work great under Sandboxie, the example that I wrote about is only an example. Nothing more.

In my computers, XP and W7, all programs and files run sandboxed every time that they run. And they run nice and safe. Using Sandboxie the way I do, allows me to use the computers as they were designed originally to be used. If I want to run something, I just run it without bothering with scans or antiviruses or anything like that. Try it, you might like it.


Bo

 

I understand the concept of SBIE, limited virtualization. But why not just toss Mint in a VBOX, and use that without any security of any kind, then link a protected, isolated USB as the shared drive between the VM and OS?

Never a care in the world when you do that, and no risk of any errors, incompatibities, etc.

 

A few reasons. Both, my XP as my W7 have 2 GB memory. For what I do when I use the internet and the computers, that is more than plenty. But I cant use a VM with that amount of memory. Read this Mayahama. The convenience that you get with SBIE is unmatched. I don't have to reboot to get out of sandboxing. You sandbox programs and files and delete the sandbox in the time that takes you to open and close your eyes. You can not do that with VM. And resources, Sandboxie pretty much uses none. CPU usage is always a nice big 0%.

And security wise. Virtual machines are supposed to be safer but in the 6 years that I have been using Sandboxie, I am still waiting for something to escape the sandbox. Nothing ever does. Sandboxie works so nice that I got rid of all other real time security companions 4 years ago, I even went a little further 3 years ago and stopped carrying any on demand scanners. Sandboxie is it for me. Looking for something else or making changes just for the sake of change is not wise.

Bo

 

I missed this part. This is the way Sandboxie treats USB flash drives. Whenever I insert a USB flash drive, the USB drive folder pops up open using a sandboxed version of Windows explorer. If anything runs, I dont care what it is, it runs sandboxed.

Mayahama, you seem to be a nice fellow....try Sandboxie, you might like it.

Bo

 

This explains it. Not enough ram to do this, 4GB is the minimum for an effective VBox. SBIE probably is perfect in this case.

 

Yes it is. Mayahana, I like to turn you on to Sandboxie. Listen to episode 172. The first thirty something minutes are about NoScript. I love NoScript but you can skip that. At about minute 36, Tzuk starts talking about Sandboxie and what motivated him to create it. Download the 43 MB audio file.
https://www.grc.com/sn/past/2008.htm

Bo

 

I've known about SBIE for years, and was an early user of it. Also I used Dell's KACE browser for quite some time, which is essentially a SB-type program integrated within the combined coded of Firefox. I have little need for any desktop security anymore, but in the past (as recently as a month ago) had a thin client window for browsing-only. Thanks though!

 

Reformatted my lappy and shrunk my layered security a bit...Should I add CryptoPrevent again or should ERP be enough to stop Cryptowall etc?

I should let you guys know that sometimes I browse without sbie, but usually only trusted sites.

 

Don't act as if his entire stance hinged upon his lack of RAM. He brought up a ton of valid points as to why his approach is sound. And how it is especially more convenient... no contest, contrary to what you stated.

If you're using a box from your own home it doesn't matter what type of measures you try to take to be anonymous. Deploy as much security and privacy as you want (within reason), while keeping things light and convenient. I deploy a setup like the one you mentioned (and then some), but on a Macbook that I never use on my own network, from my own home. Using chained VPN's & TOR, all running on an encrypted USB stick (a Kingston DataTraveler 4000), taking measures to see to it that nothing touches the actual box. But it's hardly practical to roll like that all the time, like when I'm just watching Youtube videos, or talking to y'all on here. What's in my sig is plenty sufficient for that, and probably even overkill.