Slashdot Mirror
Honeynet Project: Blackhat Attack Stats
edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper
, Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...)
We demonstrate just how aggressive the blackhat community is.""
The fastest time ever for a system to be compromised was 15 minutes.
/. stories are compromised within 21 seconds of being posted.
So what? Nearly all
Result: 0 breakins for a huge number of attempts. NetBIOS, rpc, dns, and a LOT of ftp attempts.
Not surprisingly I'm AC'ing this post to preserve a) bandwidth b) sanity and c) track record.
I'm VERY grateful to Theo DeRaadt and his crew and the contributors for doing such an amazingly good job. More power to them.
I've always seen script kiddie as a noun and blackhat as an adjective, and this sort of correlates with the usage in the article ("blackhat" as a noun for "attacker").
When I was a kid, we had to bite on aluminum foil to generate electricity to power the motherboard. The motherboard was tied to my chest with my chest hair because we couldn't afford anything else. We couldn't afford network cable so I would lick my fingers and use my arms as thicknet cables. When my brother was born they put a vampire tap on my left arm to extend the network.
-Paul Komarek
All of our apache servers were hit about 29-35 times with the recent IIS bug (the .ida one). Several times from the same client.
Our NT IIS servers where hit 0-2 times.
Duh!
For RH 6.2, before you even connect it to a network, I reccomend you have a copy of Bastille Linux (Which is actually a script, not a distrobution) on hand. This is great for newbies.
/etc/inetd.conf file (which only appears in a server install).
/. post, but the above is a good start for Red Hat 6.2.
As a general rule:
run the "ntsysv" tool, and disable portmap, httpd, bind... hell disable EVERYTHING, and begin turning on things as you need them. (If you don't know what it does, turn it off, if something stops working, you know what that was and can turn it back on.)
Comment out everything in the
Have nmap on hand, and scan 127.0.0.1 (yourself) with it, to make certain your ports are closed. Nmap should only find port 113 (and 22 if you install SSH). Sure, you can have more open ports after that - but that is providing you know what they do.
There is no way I can give you enough advice on how to secure a machine on a simple
Try to hack my 31337 firewall!
Wow. If that's true, this is just crazy.
It is true. I witnessed the very same happen to a Red Hat 6.2 machine in 10 min. The next fastest I saw was 4 hours. I have 20 Rh machines now, and when I first started with them I did not know how to secure them properly.
I found out just how fast someone could "own" them.
I agree, the services should be OFF by default, just like Open BSD. Maybe the powers that be will listen one day.
For now, I install on a non-networked machine, install the patches off CD, and secure the machine before attaching a network cable.
Try to hack my 31337 firewall!
Some ideas:
The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d. Maybe start off with a more up-to-date distro so as to decrease the risk of attack during the install process? Or, you could download all the security updates onto an existing machine, then take down your external connection, install from the RH 6.2 CD, copy over and apply security updates, and only then bring up the link to the outside world.
Remember: it's a "Microsoft virus", not an "email virus",
Your right to not believe: Americans United for Separation of Church and
A simple analysis I would like to see would be to correlate the probes and attacks over the time of the week when they occurred, with granularity measured to the hour, possibly with a 3-hour moving averages. This is likely to provide significant results.
I once analysed the spam I received over the course of a month, and even this very limited data set revealed clearly that more spam is sent on weekends, with Sunday recording twice as much spam as Thursday. Probes and attacks are likely to follow a similar statistical pattern, in part because spammers and blackhats are an overlapping community.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
You're missing 4 things ;)
.|` Clouds cross the black moonlight,
a) stay uptodate - apply patches like there's no yesterday
b) use an IDS like snort
c) run logchecker and AIDE
d) use libsafe around net-listening daemons.
Then you'll be in the right league; whenever you get emails off these you're expected to *read* them, too.
Me, I'm getting portmapper, FTP and DNS in approximately that order; I've also had quite a few telnet scans following the recent vulnerability in telnetd as well.
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
So here's a hint, learn how to use your OS before you put it on the Internet. If you're a linux fan, figure out IPTables and implement it. If you're into BSD or Solaris, use IPF and really learn it. Download the security updates for your system and apply them before you put it on the Internet. Air gap security is the best time. When you're done with your box, you should only be running a late version of (Open)SSH and whatever services you explicitly want people to connect to. Inetd should be turned off, for the most part. Unfortunately, system security is not easy. This is why it pays to be a script kiddie. They don't have to know how something works, they just need to use a script against as many boxes as possible until they find a weak one.
Yes, I bought a bumper sticker at Defcon that reads "My other computer is your linux box."
What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.
While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.
The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".
-Restil
Play with my webcams and lights here
Are there any distros with security tools installed by default?
Mandrake now ships with Bastille.
Bastille is a way to beef up your system security. I believe it was actually developed for Red Hat, but RH doesn't include it. It is a script, and I think it probably has a GUI front end by now.
If you put up a machine to get hacked (a honeypot), aren't you partially responsible for any attacks to other machines that blackhats launch from that machine?
This is explained in the main paper:
http://project.honeynet.org/papers/honeynet/
To sum it up: they don't let spoofed packets out of their network, and limit a machine to 5 outbound connections (over some time period, I suppose, although it doesn't really say), after which the system is marked as compromised and can then be reloaded, or whatever...
--- Where's my X.400 protocol decoder?
My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.
Mandrake 8.0 ships like that. It even warns you before installing about what services are running.
And, I've found the firewall to be tighter than gnat-booty.
HI Mom!
Linux - Because Mommy taught me to Share.
I love this kind of response.
Look, the statistics are for a default install of Red Hat 6.2, which is about 1.5 years old now, but is still pretty secure if you perform the "desktop" install and then apply all of the updates.
If you install 7.1, and then all of the (many fewer than 6.2) updates, it's even more secure owing to: 1) Red Hat 7.1 ships with an ipchains configuration 2) xinetd allows finer grain control over many of the less secure services, should you wish to turn them on.
Red Hat is not the world's most secure OS, but let's be fair and admit that they do an excellent job of staying on top of what's out there, and providing updates to their customers. It's relatively easy to be an OpenBSD and say "our OS is secure as long as you don't install a web server", but companies like Red Hat are actually trying to solve the hard problem of general-purpose, secure operating systems and server software. If, after over a year of everyone beating on it, exploits are found in the default, unpatched version of their OS, I can live with that, as long as they have addressed the problems.
--
Aaron Sherman (ajs@ajs.com)
And hey, if you ever have to move, you won't need to pack that machine up at least. Just write, "Fragile: Computer" on the outside.
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Use OpenBSD.
OK - I admit I only scanned this article - but in their explanation of the honeypot, they seem to indicate that there was no form of a firewall set up in front of the machines in the honeypot.
I currently run FreeSco on my homebrew firewall, which is a simple NAT affair. It seems to run well, but sometimes I tend to wonder if it (and associated connected systems) might get rooted.
I check the logs on occasion - but I am not a grand admin - so while I can tell from the logs when a portscan for 138/139 is occurring (SMB) - other possible probes would elude me.
Or am I reading this wrong - was the honeypot protected with a cheapo (read "consumer") firewall product (like a DLink or Linksys router/firewall)?
If not, what would the statistics have looked like if it was?
Worldcom - Generation Duh!
Reason is the Path to God - Anon
The article most likely could have been summed up as:
"If you run a system without a firewall and it is hooked up to the internet, be prepared to be cracked at some point, sooner rather than later."
All I have to say about this is "Duh!".
Actually, learning the techniques and tools used could be helpful - I will give it that much.
Worldcom - Generation Duh!
Reason is the Path to God - Anon
o There doesn't really exist a distro in the Linux realm that has a high focus on security. There are things like Bastille Linux which is a good overall Q&A tool that will really help you, but I eventually ended up learning ipchains from the command line.
o Snort appears to be the defacto Intrusion Detector right now. There are a couple of different snort rulesets that you can use out there. You won't have much luck interpreting them unless you find a TCP/IP book to read them.
o No. I don't know of an easy way. I think it's pretty hard.
o What's the point?
The point was that the HoneyNet leaves holes in their firewalls and their boxes. They turn on sharing in the Win98 box so they can monitor and detect the traffic and the new techniques. A default RedHat 6.2 box not firewalled is pointless. A RedHat 6.2 box with the latest security updates and with a firewall or with some nifty IPchains rules is still pretty good.
The point is that if you use 6.2, you need to lock it down before you go letting it serve your email, or your webpage, or your dns domain. Heck, and it's not just 6.2. Both 7.0 and 7.1 do have security flaws in them.
hallo 192.168.1.1, how 'bout a nice juicy apple?
--
I have no fin
no wing no stinger
no claw no camouflage
I have no more to say...
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
I just got around to "installing" MonMotha's iptables firewall. I'm really quite pleased with it considering I had it configured and running within 5 minutes. It's really just a configurable script to apply iptables rules, and I hardly had to make any changes. For example, I need NFS and FTP within my LAN, but I don't want the outside world to be able to see it. Easily done with this script. Plus it has other features, like protection from ping flooding. It's not the last word in security, but for someone on a little dialup system with a few computers connected, it's a hell of a lot better than nothing at all.
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
Even though they made "no attempt to publicize" it, they also made no attempt to hide it.
But that was the point of their experiment. I'll be you dollars to dimes that the number of computer users who throw out-of-the-box machines up on a network far outnumber the users who secure their boxes before putting them in public reach.
It's true that having all these machines on the same network can cause inflation of their numbers. If I were a script kiddie and discovered a variety of machines with a default installation on a network, you can bet I'd have a post-it note on my computer with that network's address. The Honeynet Project looks far from being truly scientific, but it provides a view of the worst-case scenario.
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
You've obviously not tried RedHat 7.1 then (I forget if it was in 7.0 or not). Very slick installer, and on the way it asks you what kind of firewall you want "secure, medium, none", and has an option for specifying rules by hand if you know what you're doing. Exactly what you want. :)
Of course, that's not the only thing that needs doing, and RedHat has come under fire in the past about services running by default etc. IME they take this very seriously and continue to improve all the time. Part of the problem is newbies who get RedHat, cos that's what they've heard of, do a full install (which yes, does install everything - including all those daemons), don't bother keeping up to date with patches (which is now very easy to do with RedHat's up2date agent), and then get rooted. Hopefully with the way things are going this won't be so much of a problem.
If the most common way to patch a Red Hat system is by downloading patches through the Internet, how can someone get a RH system up and running without it being compromised in the process?
The shareholder is always right.
"My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service."
Trustix does this. Or at least with very few (and securely configured) services by default.
A better project would be one that had a lot of machines from various volunteers all over the internet set up and collecting statistics. That way, no one could tell just by looking at the IP address whether a machine was part of the project or not. A more random sampling like that would give a much more accurate picture of how often the average machine-on-net can expect to be attacked.
Free Hans!
Bastille is a set of Perl scripts that walk you through the process of securing/'hardening' your system. Very much like a wizard, it asks you if you want to do 'A' with an quick explanation of why you should an when you shouldn't do so.
http://www.bastille-linux.org/
Mandrake 8.0 does include a GUI front end for it, however it does have a text mode 'menu-ish' system if you don't want the Graphics.
Or if you are really concerned about security install OpenBSD.
To summarize: Yes, but you can't launch outgoing attacks from any of the honeynet machines (they're careful that way).
-Renard
Small improvement: Install, disconnect net, disable services, set up Ipchains (or iptables) to allow only connection to your vendors update site, connect, download upgrades, open your iptables where public access is really needed. Such Iptables scripts should be part of every distribution!
In Murphy We Turst
Set the machine up behind NAT. Or, install it and turn off all of the services (use lsof -i to check) and then download the patches.
Vintage computer games and RPG books available. Email me if you're interested.
The Honeynet project was set up to demonstrate the threat of hacker attacks. I noticed throughout the report a certain amount of rile-'em-up sensationalism. In other words, although the data collected and their analyses are certainly important and extremely valuable, they should be taken with a grain of salt.
:)
Although I'm probably going to clean my unprotected RedHat 6.2 box before I connect it to the 'net again.
I would like to see a corelation study of this information against postings to BugTraq. Information can be a two edge sword.
In fact, the best, most secure OS's have hardly any features at all other than basic command line programs. To create a secure system, you should start with a stripped down OS and only turn on the services and run programs that you need. That way, you know your system and everything that is running on it.
Start out with the basic Debian system(~15MB), and add the software you want. You'll have to understand any services you run(HTTP, FTP, SSH, etc) and you'll have to install and enable those services yourself.
Even better, go with OpenBSD. There hasn't been an OpenBSD box(default install anyway) that has been rooted in the last 4 years. With this report that shows how boxes are routinely scanned in the first 72 hours they are on the net, the OpenBSD statistic looks very impressive.
As long as bells and whistles sell software, we will always have security problems. I don't see the emphasis on features going away anytime soon either. Thus, security professionals will always be in demand and stories about crackers and virus authors will continue to be commonplace.
No, Thursday's out. How about never - is never good for you?
Wow, so a Unix-like operating system without any services running is free of security holes?? Amazing.
I heard the other day that no powered-down Windows NT system has ever been remotely compromised. That's almost as impressive.
Conformity is the jailer of freedom and enemy of growth. -JFK
Of course, it is not Linux, but there is always OpenBSD. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.
That said, I tend to advocate being exposed to as many distros and variants as possible. Load em up on a spare box, blow them up, etc.
Educational, if nothing else.
"It is a greater offense to steal men's labor, than their clothes"
Unless things've radically changed since when I installed RH 6.1, the answer is no. You're running off a barebones system that has the software required to do the install and very little else.
If you're paranoid (with that 15 minute figure implies that you should be), you can force the first boot session of the new Redhat system to be at a runlevel that doesn't start up networking. Then you can leisurely edit config files so that no services get started. Kick the machine into a regular runlevel, download the patches, apply them, and then carefully reenable services that you really, really need.
I will admit that it's not the easiest solution, but it should work (barring a remotely exploitable networking bug in the kernel or client software), and it doesn't require a firewall.
If it's anything like what happens where I work (we're a manufacturing company in a non-tech related company), even the machines without DNS entries get scanned regularly. Most of the time, it looks like they're just scanning a single port on a range IP addresses in order (our firewall has a pair of sequential addresses assigned to it, so both attempts show up right next to each other in the log file). My guess is that they aren't even bothering with DNS -- they're just scanning anything and everything that might have a security hole in it.
Linux Summer, by Justin Cheung
I'll post some more info about Linux security over at http://www.ocamd.com/articles
RedHat 7.1 ships with very few services on with the "workstation" install. Xinetd is not even part of the install AFAIK.
-
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I'm a fairly proficient Unix/Linux admin, and I was fighting script kiddies left and right on my home machine for several years (I got rooted twice over three years). I was running my main Linux box with masquerading and filtering for a couple of other PCs and my laptop, at first on ISDN and then on cable. The only reason I didn't install a dedicated firewall at home all that time was because it felt cumbersome, like it would take up extra space and electricity and just be overkill for the small "home" network sitting behind it.
But finally I just got tired of being scanned all the time and seeing people always trying things, so (not wanting to shell out $$$ for a commercial firewall/router), I got some spare parts: a 486DX4/100 board, 16MB ram, a floppy, and two 3Com 3c509 cards. Basically, spare parts.
I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws). Then, I put Freesco (which is Linux-based) on a floppy disk and put the box between my local network and the outside world.
It's been running for a year now and I haven't even thought about it since. Not a single outsider has even come close to touching my PCs -- the Freesco 486-cardboard-box firewall/router has worked very well and I have yet to have to manually reboot it.
STOP . AMERICA . NOW
...just how often attempts are made on systems. My webserver runs RedHat 6.2 and ipchains, and so does my home firewall (cable modem). I constantly see NetBIOS attempts, which of course have no effect. My home system has a dynamic IP, but I get about the same number of attempts on both setups (about 30 attempts per day), all unique source IPs, most resolving to DSL and cable providers.
A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...
I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...
I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...
I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...
I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.
- Jman
NGWave - Fast Sound Editor for Windows
--CTH
--Got Lists? | Top 95 Star Wars Line
Trolls throughout history:
Trolls throughout history:
Jonathan Swift
Really there isn't, I always keep a good old ax right next to the cat5 going to the router, and if theres ever hacking going on, BAM chop dat sucka into peices and the bitch never knows what happened
How to set up your own honeypot
This is another interesting article on building your own honeypot.
Or paste: http://www.rootprompt.org/article.php3?article=21
I don't need a Honeynet Project whitepaper to tell me that Statistics is my enemy. I learned that in school years ago!
If all this should have a reason, we would be the last to know.
"The results were scary"
A cardbox box? What extravaganza! In my day we were lucky to find a grocery bag to throw the parts in.
A grocery bag? What luxury! When I was a kid, we were lucky if we had a nail to bolt the motherboard to the wall.
Nail and board? When I was a kid, we had to make our own transistors, write an assembler, nick a car battery, and if we were lucky, we'd find a piece of string to hold the bits together.
-- Another senseless waste of fine bytes.
Anthony Staines
-- Anthony Staines
"The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet."
Wow. If that's true, this is just crazy.
My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.
That non preparation and non attention to security leaves you with a vulnerable and insecure network.
No surprise really - the statistics indicate that they have a high rate of attack on their unsecured systems yet i would be interested how well they hide them - that is is the domain name of the network something which would attract their attention ? Ceratinly the average home user would be very scared reading these statistics which is the point i guess but makes me wonder are we scare mongering here ?
If they have gone out and setup a honeypot domain that looks very attractive to the script kiddies then im not surprised that they are attracting attention - having said that my organisation is about the most boring thing on the planet and we have a large amount of intrusion attempts (christ knows if they managed to get in we would get sued for boring hackers to death).
I still cant help but wonder if this stuff is simple setup to attract publicity and attention ?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
While informative, the paper was a little above the level of reading for those of us who are uhhh "budding" security experts. I've found this problem when trying to install an intrusion detection system on my RH6.2 486 box.
Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?
Are there any distros with security tools installed by default?
Anyone know of an easy way to image a system setup I like, boot it off a CDROM then mount in disks for data?
Besides, if these boxen were compromised in hours, what's the point?
They _do_ use your system.
:-)
.. I could), etc. I didn't try to gain _access_. That _is_ hacking, which I despise. But I _did_ try to gain _information_. It was so fucking sad, the picture I finally assembled. The attack came from a RedHat 6.0 box run out of a little one-lung web hosting company in Anaheim. The place was so small that the Administrative, Technical, and Billing contacts I saw in the whois output were all the same guy! No firewall that I could find. The DNS records just _sitting_ _there_, all the routers with router-type names, and functionality blurted out in HINFO records, for Christ's sake! The RedHat itself box was just completely wide open. The connect to port 23 just gave the OS major and minor revisions away. Ditto port 25. And port 21 just about made me fucking cry. It was .. you guessed it .. wuftpd. The banner gave up the branding and version .. which was vulnerable as hell to remote root compromise. How long do you think the blackhat that rooted this box took to get in? 10, maybe 15 minutes, from first discovery? Less?
:-), then its bloody well good enough for others. And the price is right. :-) If you are looking for an Industrial Strength IDS for the enterprise, I have only one word of advice: stay the HELL away from RealSecure. _Really_.
:P
In _exactly_ the way Restil speculates.
I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives.
Once a vulnerable box is found, exploitation is swift. 0wned.
And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.
The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail
That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.
Its the Wild West out there folks. Really.
BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this
"Let's stay safe out there."
BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity.