Security

Scary Situation with Fannie Mae

News has been spreading throughout the press about the case of Rajendrashinh Makwana, a contractor with Fannie Mae who is accused of planting a “Logic Bomb” into the FNM environment which was designed to destroy data throughout the FNM network.  I’m sure we’ll be hearing much about this case as time goes on and details continue to be revealed.  That this individual as a contractor at such a large operation had the “root” passwords simply amazes me (as well as scares me!).  As the story goes it appears that it was shear luck (..or perhaps Divine guidance) that the destructive script was located.

Of course, I’m a contractor for my clients (all small), and I like Mr. Makwana, know their “root” and Admin passwords since I couldn’t do what I do for them without that knowledge — but here is a case where size does make a difference.  If in fact Mr. Makwana’s script could have destroyed access to some 4000 network servers I would have to question why any individual, employee or contractor would be given such “power”.  I would think that at the very least it would be “spread out”.

Some of what I’ve reviewed so far about this case also has made reference to a sense of “any” large organization having security with their backups — well, I don’t know about you but I wouldn’t want to have to resort to the backups!  Even if not a byte of data was lost, the loss from the disaster and downtime would be huge, certainly NOT what we need in our faltering economy!  As for backups — my experience generally has been that they are questionable at best — i.e. When were they last tested?  In many case I know of the backups never were tested.

For a small business the loss can be managed, sort of.  However, given the size and industry of a Fannie Mae any loss can mean significant costs to recover.  Here we have another indication of vulnerability - sure am glad the other tech “spotted” the script!  Whether we like it or not, we humans inhabiting planet earth are vulnerable and dependent upon each other in more ways than most of us are comfortable with.

Lessons to be Learned

This morning I overheard GMA making reference to the case of Julie Amero which was the subject of my blog in December titled “Unsavory Justice - Julie Amero vs Connecticut“.  The ABC News story “Wrong Computer Click Ruined My Life” doesn’t present any new facts in the case, but does present the case before perhaps a much different audience than it might have received previously.  The aforementioned links provide the background which I will not expand upon.

However, what I do want to suggest is that there are lessons to be learned from this:

• The need for training (…over and over again I see training as the number one need!)  Those of us who are computer literate make many false assumptions regarding users — we need to rid ourselves of those assumptions.  I’ve always told users that I was training that “You’re trainable”, but that doesn’t mean they’re trained!  The training MUST be on-going.
• The IT department perhaps was not well enough trained either – OR – the proper precautions that would have prevented the site accesses would have been in place.  (NOTE that this does make the assumption that IF they knew what to do they would have done it - which assumption could be erroneous since there is a cost associated with doing the “right” thing!).
• Leaving a system unattended can lead to mischief or mishaps - whether it’s a school classroom or a business environment, whether it’s a “dumb” use, or an intentional misuse.  If you leave a computer that you’re responsible for, log off!

I’m sure that there are other lessons to gain from this as well, and certainly a variety of actions that can be taken.  I just couldn’t let this sit today, even though I’ve blogged on it before!  The case is unsettling to me!

Software Development, Security and Programming Errors

Within the last few hours quite a buzz has been created by the release of the CWE/SANS Top 25 Most Dangerous Programming Errors list.  USA Today posted an article on the list with an insert about The Importance of the Flaws List.  Early today the BBC News posted Dangerous Coding Errors Revealed.  Certainly the buzz will continue!

There is much to be said about security, and certainly the independent developer needs to be just as mindful of potential flaws as the corporate developer in a team environment.  This list is for every developer to consider.  I was amazed to find a couple of practices in the Top 25 that I have, at one time or another, been guilty of doing.

The list categorizes the top 25 into categories of “Insecure Interaction Between Components“, “Risky Resource Management” and my personal favorite, “Pourous Defenses“.  The errors themselves are related to a “CWE”, or Common Weakness Enumeration which is described in detail on the CWE website.  For example, one of the Top 25  in the “Pourous Defenses” category is identified as CWE-259 Hard Coded Password.  Reviewing the entry regarding the CWE-259 I believe begins to reveal the significance and usefulness of this Top 25 list to ALL developers.

Personally, to be honest, I might not have paid much attention to it had it not been called to my attention by my son who has been involved in the project for months.  I hope readers of this blog find the material useful themselves.  Oh yes, it is estimated that some 85% of the criminal activity on the internet have resulted from these Top 25 “NOT best practices!” in coding.

Backup Strategy and Disaster Recovery

Nobody that I know disagrees about the value and need for reliable backups.  Regardless of company size, having backups in place that protect company data is essential, yet recent writings and surveys seem to indicate that very few disaster recovery plans are tested for their effectiveness.  In fact most “true” disaster recovery plans will take into account much more than data backup.

A disaster recovery plan is like business continuity insurance — without it the best one can hope for is to “remember” all of the required pieces in order to solve the resulting puzzle.  Documentation is the best friend of a disaster recovery plan.  As an absolute minimum those functions absolutely required for the business to operate need to be identified, and a plan for recovering those functions documented thoroughly and clearly so that minimal “expert” help is required.  Speed of recovery must be considered, as well as the multitude of different disaster scenarios “most” likely to be faced.

For the small company my experience indicates that the most over-looked consideration regarding their backup strategy is that no consideration is given to ensuring that somehow there is a backup residing off premises of the “server” room.  Many companies have gone to backing to a USB disk attached to the system.  This provides safety for the event of server failure — and provides for quick backup and recovery.  However, in most cases the disk receiving the backup is physically located in the immediate proximity of the server and stays there, and as such, is subject to the same physical disaster potentials such as water, flood and fire as the server itself.

Using tape as a backup media has a number of disadvantages, however, it is very easy for a backup tape to be consistently brought off-premises.  Perhaps it is not quite as easy when the backup is to such as a USB disk — however — how much is that data really worth?  Somehow, its certainly best to have off-premises backup.

Unsavory Justice - Julie Amero vs Connecticut

Perhaps I’ve had my head buried too deeply into code over the past 4 years or so, but it wasn’t until this morning that I became aware of this unfortunate event playing out less than 100 miles from my home.  Since I blog only here, don’t have a MySpace, rarely purchase on-line and seldom visit anything other than a site immediately related either to a project I may be involved with or might become involved with, I guess one could say that I lead a sheltered life!

The case came to my attention as the result of reading the latest Sunbelt Security News  - a newsletter which I follow with some regularity, and my generally inquisitive nature.  Anyway, in case you have also had your head into too much code, the case in short (very short) is this - Julie Amero was a middle school substitute teacher who had the unfortunate experience of having the computer she was on begin showing pornographic pictures.  She was charged and convicted with felony charges of impairing the morals of a child, with sentencing delayed (…since it appeared that perhaps not all aspects of the case were solid).  Her conviction was thrown out and she was granted a new trial.  On November 21, 2008 her saga ended with a guilty plea to disorderly conduct .  She lost her teaching credentials, her health has been compromised, and paid a $100 fine.

What happened to her in that classroom reminded me of an incident I experienced a few years back when I got a frantic call from a woman on her workstation who just couldn’t get rid of pornographic popups that just kept coming at her.  She was frantic!  She was not a “knowledgeable” computer user, she had no idea what to do!  In her case, what was discovered was that some member of the nightime cleaning company had decided to make use of the company high speed connection and to access porn sites, the result was a compromised PC - left ready for its next user to experience.

Now, clearly I do not know all the facts related to the Amero case, but that this happened surely is tragedy, as well as another example of the need to remain constantly vigilant regarding keeping anti-virus and malware under control and updated. 

Password Management

We’ve all seen them — the little yellow sticky notes pinned up on the workstation board, or attached to a cabinet, or whatever other clearly convenient and visible place that is available — the ones with username / password combinations scratched on them for all to see!  Is it any wonder that studies indicate that our most vulnerable areas of system security come from within?

While we may require “strong” passwords which get changed every 30 - 60 days, they can be even more susceptible to being “written down” where the user can “remember” them — in my experience the more restrictions put on a “strong” password the more often users will write them down because they’re afraid of forgetting them.  I don’t blame them — but — it sure destroys the security that we try to build into our systems. 

Add to this password mess the requirement for meeting varying requirements for individual systems, networks and workstations and the situation becomes convoluted at best.  What got me going on this blog path was seeing the statement “Sticky notes don’t make for good security” in something I was reading.  My response to the statement is, of course, DUH!

So — How to get passwords under control?  Wouldn’t it be nice if we had an application to securely allow us to use a single password to access all resources which meet our security level?  A Google search on password management tools returns a number of entries — however at a quick glance most tools seem to be specific to Mac or Windows environments exclusively.  It seems to me that most desireable would be an application which will serve ALL common O/S environments, as well as databases. 

Maybe I just want too much , but I can dream can’t I?

Application Trust — Who do you trust?

As some new system or network need comes up either for myself, or for a client, I may find myself searching the internet for something to fill that need.  Obviously this must be done with care and more than a bit of due diligence.  There are in fact many excellent resources available from the internet — but when faced with finding a “new” supplier say for something like a utility — how do you decide who you can trust?  I’ve been considering this for quite some time now and realized that I have developed some pretty basic “first steps” to establishing some trust in the site or utility that I’m considering.

1. First impressions are lasting impressions for me - at least when it comes to a websites home page.  If I follow a link to an interesting utility, the page I land on will determine immediately whether I go any further.  I expect the page to provide information about the utility, I don’t want flashing “Buy Now” or “Download FREE Now!” buttons offering me a special discount (…why me?  Lucky number?  I don’t think so!).  A site failing this brings me to exit immediately.
2. Site References are important to me — things like “How did I get to this site?  Was it a link from the page of a website I trust such as TechTarget?”  Was it a link which the vendor has paid for — i.e. a purchased advertisement?  Are there references on other sites which describe experiences with the utility as to its effectiveness.  In other words, can I easily find anything about others experiences with the utility?
3. Recommendations from personal contacts plays a large part in my deciding to “trust” a sites offerings.
4. I recently downloaded a C++ script from a site I didn’t know and compiled it — a script to provide very basic IO and file creation and deletion information.  This was a case where even I with my limited knowledge of C++ scripting could see that what the program was doing would be “safe”.  The site I downloaded from wasn’t flashy, but it clearly met my requirements in 1 and 2 above.

With so much “free” available on internet pages a prudent approach to choosing downloads is essential.  Selected wisely, much valuable information, utilities or even “free” applications can save time and dollars.

Application Performance and Other Investigative Opportunities

Sometimes I feel more like I’m a detective than programmer/analyst.  Fact is, I believe, that there has to be at least a little bit of detective in every IT person who has the opportunity to evaluate software applications and their sometimes strange behaviors.

As an example of what I mean, I share with you an opportunity I’ve been presented that has surely become a mystery worthy of any good detective - or perhaps a sick mind :-).  Picture this, an application that runs flawlessly and with acceptable speed on a minimally configured server when moved to a new “high-end” server slows down to borderline acceptable performance - clearly and noticeably slower than the old one.  Both systems use RAID 5, both are running MS Server 2003 SBS.  Main difference between new and old is that new uses more powerful chips, faster drives, 4 times the RAM and gigabit network connectivity - none of which cause me to suspect that it should run slower than the old.

The issue was called to my attention after the company “network” guys had all but thrown up their hands and said basically “…it must be the application…”.  It seems very hard to believe that it would be anything other than configuration of “something” on the new server.

As yet the issue remains unsolved - but I use it to highlight one of the great challenges that we in the IT field are presented with .  One need not look beyond the next IT person you talk with to find the next “detective” story or unsolved mystery.  We are faced with them constantly.  We need software and hardware tools, knowledge bases and lots of experience to investigate and solve such issues.  Issues which cross various specialties such as security, networking, programming, application testing and design require us to be “detective” - to ask the right persons the right questions - to find the right tool to identify the cause of the problem, as well as to recognize opportunities to “check into”.

“Lots of luck” also helps!

Windows PowerShell Rocks

Nobody has ever accused me of adopting software or utilities upon their immediate release. Actually, as the plethora of articles about new product or product under development occur, I look them over briefly, but generally don’t give them much attention. With that said, it is no surprise that I had no clue that Microsoft was developing a new tool for administrators — Windows PowerShell.

Having worked within a UNIX and Linux environment for many years, I became very accustomed to creating powerful scripts to accomplish tasks. Even with the limitations of Microsoft’s command shell, I often would find that I could do things much more quickly at a command line than with a graphical interface. Now Microsoft has given me a whole new tool to learn — and I suspect I will find myself using the command line once again more and more frequently.

I only discovered Windows PowerShell today when I was reading the April edition of Microsoft TechNet Magazine. What caught my eye initially was an article regarding PII (Personally Identifiable Information). The article ( Really talking about security on your system) showed various examples of finding PII on your system using Windows PowerShell. As of this writing I am not finding the article on-line however, as it appears to be the March issue that is on-line at this time.

Getting the glimpse I did of PowerShell from the article had me quickly imagining many uses for the power which seemed to be available using this new tool. I searched for, downloaded and have now installed PowerShell on my XP, Vista and server 2003 systems.

If you have not investigated this free tool from Microsoft I’d suggest that you go for it! I have only begun to look at the functionality available, and I am impressed — and it generally takes a bit for me to be this way about a new product.

Trustworthy Computing

Since reading the white paper entitled “Trustworthy Computing” on the Microsoft link provided by reader Willie Robinson I have been thinking about the concept of “Trustworthy Computing” ever since, almost to the point of distraction — so I figured it was time to blog about it!

I first noted when reading that Microsoft paper that it was dated in the year 2002.  This prompted me to try a Google search on “trustworthy computing”, and I discovered a recent article posted on campustechnology.com entitled “Trustworthy Computing: Examining Trust“.  I found this article particularly interesting because very early on a reference was made to the fact that there is still a long way to go.

I have found myself wondering since reading the Microsoft White paper, just how possible is it to develop the same kind of confidence and trust in our computing environment that we have with our automobiles or telephone?  Computing, however, seems to be an area where there is an every day cat and mouse game being played between the good guys and the bad guys.  What happens when a good guy goes bad?  That has happened!

It seems to me that until the larger issues of global cooperation and trust are resolved, we will not see global trustworthy computing.  On the very first page of Microsoft’s “trustworthy computing” white paper, they state “…  Because computers have to some extent already lost people’s trust…”.  My experience would be that this is a gross understatement.  Significant data breaches have shaken the security foundation to its core, and significantly eroded trust that has been built up in recent years.

If this topic interests you, take a look at this most recent article that I’ve referenced above.  It also is a great read.