March, 2009

And you thought conficker was dead

The conficker worm that infected millions of computers starting last October was believed to be at bay. Not so according to Vincent Weafer, vice president of Symantec’s security response group.

Computers infected with this worm are being updated with a stronger variant. The variant is designed to sidestep security measures attempting to cut the connection between infected machines and it’s hacker controllers. An estimated 20 technology companies, including Microsoft, have joined together to try and counter the stronger variant.

They are attempting to stop the worm by pre-registering domains that they believe the worm will use. According to Symantec and others in the group the worm can register up to 50,000 domain names a day. The domains are used to band together the infected computers and route the worm to other computers for infection.

The new worm is also better at resisting eradication. “It’s turning off a variety of security services,” Weafer said, as well as tools often used by security companies to dig into malware.

Weafer also believe that the number of infected computers has peaked. “The number of infected machines is constantly dropping, so we’re dealing with a much smaller pool [of devices] that are potentially getting this update,” Weafer said.

There is bright side to all of this. Linux users don’t have to worry about this. We don’t need to download Microsoft’s patch to fix our machines. What is really glaring is that so far as I know there are no open source companies joined to the group to protect the Windows computer. Maybe they should consult with them and teach them how to write software that is not so susceptible to attacks like this.

This whole thing started because of a security vulnerability in the Microsoft OS. When are Microsoft users and companies going to wake up and realize how expensive it is to continue using this brain dead OS? FWIW my definition of brain dead is an OS that has users, administrators and anyone else who uses the machine pointing and clicking to set up the OS and not knowing what they just did. No wonder that OS gets attacked so much.

If you have a Microsoft machine that is infected what you need is the MS08-067 security update. You’ll have to look it up yourself - I have no need for it. You can read more about this fiasco here.

I’ll stick with my Linux and Open Source software thank you very much.

-j

Protect your ssh server with DenyHosts

If you have an SSH server that is accessible from the internet then you should look at the DenyHosts application to protect your servers and networks.

DenyHosts protects your servers by parsing your ssh log for failed attempts at ssh login. The log where this is recorded varies by distribution. On Red Hat it is /var/log/secure and /var/log/auth.log on Mandrake. You should have one of these log files on your system

DenyHosts works by monitoring these logs for failed ssh login attempts. It also tracks which user accounts are targeted. When it finds a repeated failures from the same IP address it inserts these into your /etc/hosts.deny file effectively blocking the offending crackers.

Like any security measure this one can be shored up by implementing complementary measures. These would include disallowing root logins, using a port number other than 22 and disabling password logins. All of these can be set in your /etc/ssh/sshd_config file. Your ssh daemon must be restarted after making these changes.

You can download DenyHosts here.
-j

Open Virtualization Format (OVF) released

The Distributed Management Task Force (DMTF) released the finished version of the Open Virtualization Format (OVF). The OVF is a set of metadata tags that can be used to deploy virtual environment across multiple virtualization platforms.

Using OVF users can download a virtualized application and run it on the operating system on which it was developed. Since the OVF is not hypervisor dependent users can install it on the virtualizaton platform of their choice. Admins and other users can download the OVF packaged software and install it within their own virtual infrastructure instead of creating the virtualization platform on which the software was originally installed. By using this admins can get new applications into production faster.

OVF is actually a set of metadata that describes the virtualization container. This allows the virtualization platform to translate the machine into it’s own environment. While the practice of competing virtual platforms translating virtual machines to run on their platform is not new until now there has not been an open source application that would wholesale translate any virtual machine into any virtual environment. This is all accomplished by using the metadata standard developed for the OVF,

OVF can also be used to manage virtual machine installations. For example if machines are required to start in a certain order to allow for dependencies the OVF can handle this. You can find out more about the OVF here.

-j

Virginia releases first open source text book

Virginia has released a beta version of the nation’s first open source text book. The book is a collaboration by state departments of Technology and Education as well volunteer educators, engineers and scientists.

The book was developed using web based resources to quickly update information and aid in the collaboration effort. The tools include technologies such as Java, Django, Ajax and the Google Web tool kit. The book was produced using the FlexBook platform developed by the CK-12 Foundation of Palo Alto, Calif.

The Virginia Physics FlexBook is an effort to update educational material more quickly than can be done with traditional textbooks. The typical review and procurement cycle of states and school systems, coupled with the several years it can take for changes to make their way into published texts, means that students in even the best schools could be using material that is a decade or more out of date.

A typical textbook can be over a decade behind current technology and events. The procurement cycle coupled with the time it takes changes to make their way into published text causes obsolete material to become a part of a schools curriculum. The speed of information change and technology makes this unacceptable in preparing students for today’s workforce.

A team of scientists and engineers studied Virginia’s science education curriculum and concluded that it was inadequate to prepare students for the 21st century workforce. Given that it discussed such things as cathode ray tubes (CRT) and had no mention of LCD, LED or plasma for monitors and televisions it is easy to understand the conclusion. It also epitomises the need for a way of producing a textbook and curriculum quickly and at low cost to keep pace with the technology that students should be studying. Open source provided the correct vehicle to accomplish this end.

The team, lead by retired NASA research engineer Jim Batterson, recommended that teachers have access to an open-source platform that would let them develop and share their own course material in a cooperative environment, such as a wiki.

Beyond the obvious benefits that such a textbook provides American students I am happy to see the recognition of open source by our government and institutions of higher education and the cost-benefit ratio that it provides.

Read more about the project here.

-j

How safe is your seach engine?

Crackers are increasingly attempting to influence the behavior of search engines to get them to misdirect users to malicious sites says security firm Marshal.

Unknowing users are asked to download an anti-malware application to protect their computers. The malware program then installs it’s malicious code onto the users computer.

Microsoft has attempted to help users with it’s Internet Explorer browser by using what they call a Smartscreen filter. The filter scans servers that have downloads to determine if those servers have a history of giving out malicious content. It if does the user is warned that they may be on a malicious web site.

Crackers also add links to bad websites in the comments. Posting links to such sites is known as blog spamming. When a user goes to one of these sites the cracker has automated tools that help gain entry into the users computer.

Unfortunately there is no firewall rule to prevent the foolishness of people visiting such sites. Once they are there bad things happen. Updated browsers, proxy servers and black and white lists certainly help. Still the best prevention for eliminating problems is educating users what to avoid along with the aforementioned methods.

-j

Government scholarships for studying cybersecurity

The US Government give you a full scholarship for college if you want to become a cybersecurity specialist. The scholarship covers room and board, books and tuition.

The obvious question here is “What do I have to give them in return?” Two years of government service at a federal agency in a cybersecurity position. That’s not a whole to ask in my opinion. Think about. Your getting a paid-for education in a field whose demand is only going to grow and all you have to do is work at a federal agency for two year using what you majored in at college. Not bad.

The program, known as SFS (Scholarship for Service), is run by run jointly by the National Science Foundation and DHS. SFS is quickly becoming known for more than just recruiting talent for their scholarships:

In the information assurance community, SFS is becoming widely recognized as indispensable, especially when government demand for highly skilled information technology security professionals is surging because of Information Systems Management Act requirements, the inexorable growth in security operations centers and an impending wave of retirements.

Michelle Kwon who graduated from the program has this to say about it

“When I graduated from the SFS program, I really thought I was going to do my two years [of government service] and then jump to industry and make big bucks,” Kwon said. “But I was given opportunities through the program that I wouldn’t have had otherwise.”

Michelle is now in a high-powered position as director of the Homeland Security Department’s U.S. Computer Emergency Readiness Team. Last year she was named director of US-CERT.

You can read more about the program here.

If I were a student and looking for a way to go to college this would be a fantastic way to go.

-j

Are you using myOpenID? (They launched a Wordpress plugin)

myOpenID is an open source third party authentication tool allowing users to have one login across multiple websites. myOpenID is developed my JanRain.

Making life even better OpenID works with many websites where you may already have an identity. These include Facebook, MySpace, Google, Yahoo, AOL and Windows Live ID. Many sites will allow you to use your authentication information from one of these sites to login to their site.

JanRain eases the integration of OpenID with their RPX product. RPX allows websites to be up and running in an afternoon with OpenID. They recently launched a Wordpress plugin for blogging sites. This site uses Wordpress. I wonder if we’ll be getting OpenID

OpenID has launched a demo of the RPX product here. The plugin demonstrates the ease in which the RPX turnkey solution can be implemented.

OpenID now has over 35,000 sites using their product. These include high profile sites like PayPal, Plaxo, Sun and AOL.

I know that I use it with Yahoo as my identity provider for sites that accept them. I could use my myOpenID uthentication for all of them if I chose to do so. You should try it-it’s nice to able to use existing web identities instead of having to register at sites that you want to use.

-j

Seven must have skills for a server room manager

I ran across this article in which Celerity Works Mike Lisagor who is the author of The Enlightened Manager discusses the seven skills a server room manager must have.

Seven Skills
Increasingly the management skills needed be an effective Server Room manager encompasses much more than technical knowledge according to Lisagor.

Successful managers at any level need intangible skills such as: treating people with respect; being honest as to project status; being a good listener; keeping in sight what the overall mission is and prioritizing technology implementation within budget and cultural realities.

Here is a summary of seven skill sets that will set you apart:

1. Be Stakeholder Savvy
Connect with stakeholders at all levels and departments within your organization including program managers, technical managers, contracting staff and senior executives. This will give you access to the organizational intelligence you will need when you must deploy resources to meet competing goals. Be an active participant and you will develop the business savvy you need to succeed.

Also be willing to work at any hour, IT often means the flexibility to work non-standard hours and be available 24/7.

2. Set Reasonable Expectations
Organizations are looking to IT to deliver solutions. Don’t over promise and set expectations properly so that your management and users understand how much the solution will cost, how long it will take to deploy, and exactly what it can and can’t do.

3. Be In Charge Of Your Budget
Be ready to discuss topics such as ROI and TCO with program and contracting staff. If you understand and can explain both the upfront and long-term costs of technology solutions, you’ll be better able to guide your organization in making technology choices that will positively impact the business. Managing your budget involves looking not only at expenditures, but also at expected returns.

4. Be A Trusted Technology Advisor
Be a realist as to what current and new technologies can do and not do. Say “no” to technologies that won’t fulfill the organization’s missions - no matter how “cool” they are. Do this and you’ll be seen as a credible source for technology advice and heighten your strategic value to the organization.

5. Get Credentials, Gain Practical Experience
Education and certifications such as MCSE, CCNA or CompTIA A+ matter. So do security specific certifications. A mix of Linux and Windows server abilities is extremely desirable.

The talent pool is deep, so you need to be able to compete. In government, you can take advantage of reimbursement programs for training opportunities, but if you must invest in certifications on your own- do it and you’ll quickly realize the return on this investment in your career.

Getting practical experience can be a “chicken and egg” dilemma. So, don’t be afraid to get down in the trenches. Build a server from scratch, which requires researching component capabilities, analyzing price/performance data, choosing brand or vendor, dealing with power, cooling and other “green” factors, and troubleshooting problems.

6. Be Tactful and Patient
Hone the skills that allow you to navigate smoothly through your organization. Often you will need to explain technology to non-technical staff and talk about the pros and cons in language they can relate to. Being patient is an absolute must. It can make or break your career as issues and problems often take much longer to solve than anticipated.

7. Be Optimistic - Mix management and IT skills
Come to work each day with a positive attitude. This will take you far. As you move higher up in the organization, the emphasis moves toward a mix of IT, management and other skills. Many of the issues faced have little to do with IT systems directly, such as power and cooling. If you want that senior management position you’ll need knowledge - or at least an understanding - of areas outside of IT, such as facility management, engineering, and probably corporate politics and PR.

“The need for management to communicate with those around them has never been more pressing. The rapid growth of technology has increased work complexity and the need to coordinate with many individuals located in multiple places and organizational units,” Lisagor told 1105 Government Information Group Custom Media.

“Every manager can make a difference, and the more enlightened the manager is, the more enlightened the organization will be.”

That’s some information any technologist can take to the bank.

-j

IRS a little lazy on scanning servers for malware

A recent report by the Treasury Inspector General for Tax Administration (TIGTA) noted that the IRS scans about 89% of it’s servers weekly for malware and viruses. That should give you a warm and fuzzy feeling.

Apparently they believe that employee workstations pose more of a threat. All employee workstations are scanned weekly. Of the 11% of servers that aren’t scanned some are scanned intermittently and others not at all.

According to Michael Phillips, the deputy inspector general for audit, The IRS’ Cybersecurity Computer Security Incident Response Center responded to 961 malware incidents in calendar year 2008, an increase of 45 percent over the prior year,

The TIGTA also said that the IRS has adequate controls in place to prevent and respond to malware attacks. They have also built up the security structure to deal with the increasing threat of crackers.

The inspector general also recommended that IRS administrators should not be accessing the internet with their IRS logons. Employees and their managers should also be notified when their browsing results in a successful malicious code incident.

Terence Milholland, IRS’ chief technology officer, said in response the service would begin to scan all servers weekly by May 1 and implement regular reminders on Internet access restrictions by Aug. 1. The IRS would start notifying employees and their managers when their activity results in a malware incident, he said.

You can access the full report here.

-j

Want to know how the Federal Government uses virtualization?

I have often wondered how the really big technology users, like the Federal Government, utilize various technologies such as virtualization.

Now we can all get a first hand look by watching an eSeminar presented by Government Computer News. They are presenting Anil Karmel, a solutions architect in the network and infrastructure engineering division at Los Alamos National Laboratory, in an eSeminar at 2 p.m. Tuesday, March 24.

In the seminar Mr. Karmel will present on the initiatives taken by Los Alamos to address such things as green computing, disaster recovery and security. During the presentation he will discuss

How Los Alamos National Laboratory implemented virtualization to reduce their carbon footprint and consolidate data centers across their campus;

How to leverage server virtualization to cost-effectively supplement your disaster-recovery or business-continuity plan;

How to identify “low hanging fruit” for your agency’s green initiatives while achieving a substantial return on your investment; and

Moving computing from the desktop to the data center to enhance your agency’s security.

Sounds like a good place to learn about how some really smart people implement virtualization. I certainly plan on being there. You can read more about it here.

-j