An interesting conversation with our interim campus president at the college today brought back to mind a post from more than five years ago. A server crash this morning made her wonder if a former network administrator, who did not leave on good terms, still somehow had a hand in the incident. Apparently, this fellow had succeeded in planting a logic bomb in the network timed to go off on the date of each new term start. Today was a new term start; today the server crashed. Our president’s logic said that “[name withheld] was up to his old tricks.” It wasn’t that, fortunately. The power supply died.
What was revealing about that conversation is that management at the time failed to consider an internal threat. No doubt the other faux pas were also committed. I saw evidence of them when I first took on the role of network administrator and have since corrected things. So, here’s a reminder of how NOT to do things.
Here are my Top Five Security Faux Pas beginning with number five:
- 5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.
- 4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.
- 3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?
- 2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.
- 1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…
Not to sing my own praises, but to sing my own praises, they picked the right guy when they picked me; there have been no major security incidents since I took over.
It seems these days that everywhere you look, there is a privacy disclosure statement. You get them from your bank, your credit card companies, lenders, and just about everyone who asks for any non-public personal information (NPI). Have you ever read one of those things? You should. You have a right to know what information is being kept and how it is used. Here is one such clause:
You have the right to know what NPI we have about you, to have access to it and to receive a copy upon request, where required by law. If you have questions about what we may have on file, please write to us. Give us your name and address, date of birth, [other information] and the type of NPI you want to receive. Some types of NPI obtained when [actions are taken] or defending lawsuits need not be shared with you.
The firm or group who has NPI about you may not have obtained all of it directly from you, so unless you ask for it, you don’t know exactly what they have. It is entirely possible that some NPI is incorrect and you will never know unless you request it. You have the right to request erroneous information be corrected.
You may contact [company] if you believe your file should be corrected, amended, or deleted. We will review your request, and within thirty (30) business days, we will make the requested change or provide an explanation of our refusal to do so. If we do not make the change, you may send a statement for insertion in your file, setting forth what you believe to be the correct NPI and explaining why you believe the NPI in our file to be incorrect. If you ask us to, we will notify persons to whom we have shared NPI of the change or your statement. With any subsequent sharing of NPI, we will include a copy of your statement.
You see, you have to ask. Any firm is going to do only what they are bound by law to do and no more. That’s their responsibility. Your responsibility is to be alert and informed and to take action if you are concerned. It’s not up to someone else.
It’s up to you.
I simply have to try this someday. It’s hilarious! No better therapy for the IT Blues than a good laugh.
The more things change, the more they stay the same. I’m still seeing PCs with serious malware infections that defy any and all attempts to clean them up. I used to persevere and eventually succeed in killing whatever beasties were inhabiting the dark recesses of the system. Just last week, I fought one for two hours before finally doing a factory reset.The trouble is, now as then the things keep coming back and if I didn’t take drastic action, I’d be facing another hours long battle. Once a machine is infected you can never trust that machine again unless you refresh or restore it to factory configuration.
Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware (as in 2015) is even more tenacious and stealthy that it was 7 years ago when I first wrote about this. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Windows 8 gave you an easy way to preserve user files while restoring the factory image and it’s still going strong in Windows 10. I’m not totally convinced that this is the best way to go, but so far I haven’t seen too many “repeat customers” after doing it.
Maybe the question should be: When can we expect to see the first Windows 10 security vulnerability? The follow-up question is: What will it be?
With the recent release of Windows 10 on July 29, 2015, we are faced with a new operating system that is bound to have some security issues. It’s impossible to predict what and when but let me point out that Microsoft has introduced some new security features (Device Guard, Windows Hello, Passport, to name three of them, all of which are covered elsewhere). Any new feature means that it has been subjected to limited testing and we can’t have complete confidence in it until the millions of true beta testers–the user base–have put it through its paces.
Having said that, I do have the feeling that Windows 10 security will be far better than in all previous versions. Still, you have to realize that security is, and probably always will be, a cat-and-mouse game. We can keep building better mousetraps, but as long as the cyber-criminals continue to realize huge profits, they will continue to build better mice (or bring humans–the one irreparable vulnerability–into the colony).
The old cliche goes, “The best laid schemes o’ Mice an’ Men, Gang aft agley” (Scots version). As I tend to use those tips that I promulgate, I have been using the method described in my previous post. Well, wouldn’t you know it, some sites don’t like the “.” character in their password fields. I had to modify my method. So, I changed the character for the dot to “-” and the character for the dash to “_” making the letter “F” appear this way: –_-.
Then it occurred to me: You can substitute any character you want, even the representation of the sounds themselves, for the dots and dashes. If you represent “F” that way, it becomes “ditditdahdit.” Talk about adding complexity! And you won’t find any of that gibberish in any dictionary attack in this universe (at least not yet). Nor will you have to worry whether or not a special character will be accepted.
You could use the letters s & l for “short” and “long”–the duration of the sounds that make up audible Morse code. So “F” becomes “ssls.” That’s not quite as good as dit and dah, but it works–you just have to substitute for a few more letters or numbers to string out the complexity.
These days, it’s all about staying ahead of the bad guys and the best way I know to do that is with increased length and increased complexity to make their dictionaries and other pattern templates useless and drive them to use brute force methods.
Oh, by the way, you can safely write down any password by substituting the real thing for the Morse, to wit: Password is Doolittle. Write that down, but use Ddahdahdaholditditttle. That one is even sort of melodic…
We all agree that strong passwords are especially necessary in today’s hack-a-day world and there are sites galore giving advice on how to create memorable strong passwords. I’ve posted more than my share of advice on this subject over the years.
One thing that has always been frustrating is attempting to use one of my favorite password strengthening patterns only to be told that the characters are not allowed. So, I’d have to switch to my alternative method which, unless I added several more characters, wasn’t as strong.
One thing I’ve noticed on these sites is that usually they will allow special characters like periods, dashes and the like. Periods. Dashes. Hmm, we Ham Radio operators (I’m W4KGH, in case you’re wondering) use dots and dashes to signify Morse Code characters. Everyone is familiar with the international distress signal, SOS which sounds like di-di-dit dah-dah-dah di-di-dit. Written with dots and dashes, it looks like this: …—…
So, I thought, why not use Morse code patterns in place of some letters in your password? Doing that will significantly increase the length and strength of your passwords. One might even consider it a form of encryption.
By way of example, the word “password” is eight characters. Replace one “s” with the Morse equivalent, “…” and you’ve lengthened it to ten characters. Let’s replace both both of the s’s and the o with the Morse characters and it becomes pa……w—rd with 14 characters (I don’t recommend you use my example).
You might say that using Morse code–which most people don’t know–would make passwords even harder to remember. Not so. If you limit your use to only the numbers, there is an easy-to-remember and quite elegant symmetry to the character patterns. You should be able to see it easily in the illustration.
Something like 8/.——–………– (22 characters) isn’t going to be cracked easily with a brute force attack and it sure isn’t going to fall to a dictionary attack.
There are many ways to utilize this and I’ll leave the rest to your imagination. Give it a try. It can’t hurt and you might have some fun.
Hackers, cybercriminals, government-sponsored cyberattacks, terrorists, et al. are constantly in the news related to cyber security. The focus is usually on data breaches. These things certainly are not good and cause a lot of economic damage to the victims, not to mention the emotional distress and inconvenience. But is this really what we should be concerned about? Who or what is the most dangerous security threat?
Here is some food for thought. I venture to say that the most dangerous security threat we all face is our totalitarian-wannabe government (if you have never read George Orwell’s novel, 1984, I highly recommend it). It’s not too far a stretch what with how the NSA is actively spying on all of us (and don’t think for a moment that they aren’t still doing it, despite utterances to the contrary). The NSA continues to develop spyware and malware that even the elite in the cybercrime community haven’t begun to approach. Oh, wait, maybe the NSA are the elite in the cybercrime community.
Lest you dismiss what I am saying here, please take a look at what noted security researcher and Electronic Frontier Foundation board member, Bruce Schneier has to say in his article “How the NSA Threatens National Security:”
…the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like “collect,” “incidentally,” “target,” and “directed.” It cloaks programs in multiple code names to obscure their full extent and capabilities. Officials testify that a particular surveillance activity is not done under one particular program or authority, conveniently omitting that it is done under some other program or authority.
…US government surveillance is not just about the NSA. The Snowden documents have given us extraordinary details about the NSA’s activities, but we now know that the CIA, NRO, FBI, DEA, and local police all engage in ubiquitous surveillance using the same sorts of eavesdropping tools, and that they regularly share information with each other.
Those of us who know the score need to present a united front with our strong voices against the criminal agencies who continue to insist on spying on its law-abiding citizens. Inspection before the fact has always been–and always will be–a violation of individual rights, liberties and personal privacy.
You know the person in your office who leaves their passwords taped to the front of their monitor? Sure you do. They’re putting everyone’s data and hard work at risk because they’ve short-circuited the security process. It’s not nice and it sometimes could cost the company money.
What would you do if that same person ran around the office and logged into EVERY workstation – if that were allowed because it shouldn’t be – and then left all the machines on and the doors to the office open? You might actually think they had left the door to the Internet open with a sign for hackers to stop by and take what they want.
Yeah, well that’s pretty much what Samsung did recently when they took it upon themselves to disable the security update from Microsoft on some Samsung machines. In the news this week, the BBC reported that there have been some tales of Samsung machines disabling updates from Microsoft in favor of different software. This was denied – sort of – by Samsung with a comment about giving consumers a choice when it came to software.
But the bottom line is that it happened enough to get people’s attention.
Is it a huge deal? Not really in terms of numbers, but it might represent the way the market is going when it comes to software that comes preloaded on machines and what security is used to protect certain platforms.
Here’s a snippet of the article…
What do you think? Does it make sense for Samsung to actually have some say about what goes on their machines? Should consumers have a say? Or are we still in a three-platform world with Linux, Apple and Microsoft running everything?
Leave your thoughts in the comments. Thanks!
It’s odd. When most of my posts are about keeping things secure, this piece of news jumped out and reminded me that log and access management are still vital pieces to data and facilities security.
A primer for those who just read the security corner for fun. Log management is the careful examination of all the people and events affecting the access to data on a system. That’s simplified.
Further, log management can also mean the examination of access logs to facilities and offices within a building or campus. That’s why so many businesses (most if not all these days) ensure that everyone they employ has a badge and that the badge is coded to allow them into certain areas. If you don’t have permission to be in an area – you have not been provisioned – then your badge won’t let you in.
In the case of the news in this article about the government paying out LOTS of money to dead people, it’s very clear that nobody checked to see if the people were still breathing. A simple check of credentials would have kept $46.8Million in the coffers of the USA and out of the pockets of thieves. While this wasn’t simply a case of “OK, your badge looks legit, go on in”, it is a case where better security should have been used.
What’s your take on how secure our government keeps its money? And then beyond that, how safe do you think they’re keeping information if they let actual cash get away so easily?
Yikes! I look forward to hearing from you in the comments or discussions. Thanks for reading!