From the category archives:
ICT Security
ICT Security
Today's blogpost is about password management. I have (what I think) is a
good solution that means you'll only need to remember a few small
details for all your online passwords.
(crosspost from my personal blog http://adamfowlerit.blogspot.com.au)
Hello,
Today's blogpost is about password management. I have (what I think) is a good solution that means you'll only need to remember a few small details for all your online passwords.
An entirely unexciting topic for most - including myself. You've all heard and possibly uttered phrases such as 'the longer the password the better' and 'use complicated passwords' which are of course true. Here's a blurb taken from Intel's Supplier Password rules via https://supplier.intel.com/Auth/PasswordRules.asp :
In order to protect your security, Intel has certain rules for choosing passwords.
Please read the following rules so that you will know how to choose a good password.
The following rules apply to all passwords:
The password must be at least 8 characters long.
The password must contain at least:
one alpha character [a-zA-Z];
...
Geekin' Out At The Chalk - SMBiT Professionals Brisbane, in association with Alan Burchill and Bryce Telfer, present:
Sunday Spotlight Streaming Session 10:00 - 17:00, 23 October, 2011
G'day All (and anyone else listening in),
Just a heads up to let you know that SMBiT Professionals Brisbane is running a Spotlight Session this coming Sunday (2011-10-23) at the Chalk Hotel in Woolloongabba where we're delving into Group Policy with Alan Burchill and Remote Desktop Server with Bryce Telfer as related (in particular) to an SBS 2011 environment.
The event will be streamed live for financial SMBiT Professionals members in our SharePoint site, under the Brisbane sub-site.
For everyone else, the event will be streamed free (of cost, password, however not advertisements) at:
http://www.justin.tv/hiltont
http://www.Ustream.tv/channel/SMBiTPro-Brisbane
So, feel free to get your geek on with us this weekend - the show starts around 10:00 AM and will be over just in time for us to watch the Rugby Union final! :)
...
Will SMS be replaced by Facebook? Will Email be replaced by Google Plus? Read on for my thoughts on the topic, raised on Triple J's Hack program 21/09/11.
27/09/11 Update: Tommy Tudehope has written an article on his thoughts here: http://www.abc.net.au/unleashed/2913064.html
Today I was listening to the current affairs show 'Hack' which airs daily on Triple J at 5:30. One of the topics today was from a Social Media Consultant Tommy Tudehope (on Twitter at @TommyTudehope), who was predicting that SMS would be dead in 5 years, and Email dead in 10.
For the audio of the broadcast: http://mpegmedia.abc.net.au/triplej/hack/daily/hack_wed_2011_09_21.mp3
Webpage of Triple J's Hack: http://www.abc.net.au/triplej/hack/podcast/
Tommy's claims:
"... People think SMS is one to one, of course it is, but is it really private, who has access to it, and are you always relying on your service provider Telstra or Optus to connect you through."
"...A lot of businesses have trouble working/collaborating with other businesses so sending mass emails to different people who you're working with. Now with Google Plus, you can h ...
Run around with arms in the air and scream the sky is falling? Or think seriously about security ...
You've probably heard of the DigiNotar certificate authority compromise, which has led to the removal of their CA trust from most browsers (apparently Apple is lagging behind on this), and affecting their customers who rely on them for providing SSL to their websites and other services. Prior to that, it was Comodo, and now we hear of a possible GlobalSign breach. It seems that these may be all from the same person (or people) in all cases.
It's easy to observe a common principle in action with any given security breach. One breach occurs, and the floodgates tend to open. Another good example was the Sony Playstation Network breach. A classic example that still holds to this day is Windows, and even Mac OS X is starting to feel it as their uptake continues to increase.
A successful breach flags a company as a potentially easy target. You'll get a mix of followups - from the original attackers, the security researchers, other "interested" parties, and of course what we always called th ...
In which I find a new cloud-based service which I'm so impressed with that I want to share it! To the cloud!
From an IT Pro's perspective, website security and performance can be a real pain. More often than not, you're not responsible for the website's code, yet you're responsible for its operation. Even the best developer can sometimes leave security holes and less-than-stellar performance in your lap ... and sadly, a lot of developers aren't anywhere near "the best". Paula Bean might be brillant, but it doesn't mean she should be allowed near your precious website.
But let's not pick on developers. The ever-changing nature of the web, the constant demand for new and innovative solutions, working with a bunch of nongs who have no appreciation for proper coding standards - I can understand all of this well, and the frustration behind the humour on sites like The Daily WTF is very evident from both developers and IT pros alike. I'm a frequent reader.
Like any aspect of IT security, websites are an ongoing concern that need continual review and improvement. I'm hardly a security expert ...
As it unfolds, the magnitude of stupidity in Sony's Playstation Network breach becomes more and more apparent. Why should anyone have faith in Sony going forward?
So ... the Sony Playstation Network had a serious breach, and it's been down for over a week. I'm not telling you anything new, that you can't find all over the Internet, and which is covered in exquisite detail. That's by no means the intent of my post. My intent is to highlight exactly how this is a massive security failure.
It took them a week to notify users that customer details had been breached. That's something that cannot - and should not - be ignored. Based on the latest FAQ, we know that the personal details of Sony's customers was not encrypted - but the credit card table, containing credit card number and expiry dates, was. Be under no illusion - this is a massive failure, and privacy breach, on the part of Sony. Worse still - they are being deliberately disingenuous about the information they're revealing. The lack of encryption and sanitisation on private details is a serious concern. And using "but the credit card table was encrypted" is an attempt to falsely assure those ...
All too often, IT security gets communicated as a big contest - who can piss higher than the other. It's not appropriate, and it doesn't help. So why keep doing it?
It always leaves me bemused to see various security experts and pundits bemoaning the lack of “sophistication” in successful security breaches – for example, this Ars Technica post on the RSA compromise. I know that the article in question is picking at RSA’s choice of words in claiming it to be a sophisticated attack – but it still belongs in the same pissing contest that pervades the industry.
Sophistication in an attack on security isn’t strictly necessary. A security breach just needs to succeed – and in fact, the more mundane and unobtrusive the approach is, the better its chances of success. I can appreciate a “clever” hack or security breach, but it’s important to also appreciate the reality of most attacks – they are boring, everyday exploits that quite often take advantage of people’s ignorance (or greed). Let’s take the RSA spearphishing attack. An embedded Flash file within an Excel spreadsheet, which takes adv ...
What are the implications of Wikileaks and other whistleblowing to your ICT operations?
Day after day, at the moment, we see examples of information leakage. I refer, of course, to the diplomatic cables being released by Wikileaks which is the target of so much media attention.
I wonder that no-one considers the ramifications of these revelations to ICT and to IT Managers, with all this information existing in digital form. I know that I certainly do, but many in both private and public enterprises simply do not. There is a legal and ethical minefield to consider though, both for the IT Manager and their staff, and for the broader organisation.
I must admit to falling on the side of information wanting to be free. I struggle with the notion of classifying information as secret and confidential, except where it directly relates to personal information or information that could put someone at risk.
That said, as an IT Manager, it is my job to look after information. It would be unethical - and potentially criminal - to release information under my custodianship ...
Anti-malware is taken for granted, both by Windows and non-Windows users. It's time that stopped, and time for antimalware vendors to get a shakeup too.
I've previously written about my opinions on 'market leading' antimalware such as McAfee, Symantec, and Trend Micro. The point of that post, though, was to encourage people to re-evaluate their malware protection - because so much of it is utter crap - and to highlight the need to focus on just more than the desktop.
A couple of days ago, Ed Bott of ZDNet posted his findings on Microsoft Security Essentials versus McAfee (short story: McAfee failed abysmally), and later updated with a further test, on which McAfee, Symantec, Trend Micro, and others all performed poorly.
"In this case, at least, that protection wasn’t as complete as the free Microsoft product it was comparing itself to.
As an aside, it’s worth noting that criticizing Microsoft Security Essentials because it’s free misses an important point. MSE uses the same scanning engine and definitions as its enterprise-grade Forefront product, which is most assuredly not free."
...
It would stand to reason that I would have observed substantial improvements in the approach to security, and especially malware prevention, over my years in IT. Sadly, nothing could be further from the truth. It seems people are still falling for the same old traps.
If you'd asked me 10 years ago what the most common attack vectors were for malware, I'd have answered email and removable media.
If you ask me today, you'll get the same answer. Why is that the case? Because it still succeeds - and I would argue, more so than any other - so there's no real imperative to find alernative vectors. A lot of attention is given to self-replicating worms that exploit weaknesses, like Conficker and older worms; and arguably they do have quite a good success rate. But the real business still seems to be in email and removable media.
You might dispute that - but think about phishing (or spearphishing) attacks. Something which tends to actively require the victim's participation, and which is primarily initiated via email. They don't even send any malware in the email - they could well download malware to your computer as part of the attack, but it's not a pre-requisite to succeed. They're typically looking to dupe users of their password, bank details, an ...
A recent security breach reported by Risky.Biz got me thinking about underlying causes after reading quotes and info showing they weren't taking their IT seriously. There's lessons in that for business and IT alike.
Over the past week, there's been a background buzz in my Twitter feed relating to the breach of an online customer database belonging to Hell Pizza - a NZ company with stores in New Zealand, England, Australia and Ireland.
It's a pretty big story from a security perspective and broken exclusively by the host of one of my favourite podcasts - Patrick Gray of Risky Business. Great job by Patrick - it's an incredible story that belongs on another favourite of mine, The Daily WTF. SQL queries within Flash code? Open access to their MySQL database? A black hat's dream and an IT manager's nightmare.
My old friend Maurizio of Geekzone pointed out that there'd been hints of the issue as far back as 12 months ago - totally unsurprising.
I've seen a few takes on the story, including the standard and unethical 'lifting' of the story without attribution, which always bugs the hell out of me. Gotta love the journo game. And sure enough, some security vendors are quick to jump o ...
What? What is there to argue about? We elected them, surely our politicians know what's best for us?!
It hit me last night like a bolt of lightening: The proposed internet filter is a good thing.
Far too many Australians are at risk of accessing inappropriate data when browsing online. Far too few households take their internet security seriously. Far too many children are wasting valuable cyber-bullying time having to close pop-up windows, encouraging them to get involved in Chat Roulette and the like.
Knowing the filter is coming, even that there are trials of some of what the filter will do, helps me sleep at night. Friends, any kind of internet filter that will ensure I can not/will not be able to access information deemed to be inappropriate by a faceless group of hand-picked individuals who will protect my every click-through by blacklisting websites known to contain offensive material is a good thing. As a voting adult, I elect my officials to make these decisions on my behalf. I elect them to determine that twogirl ...
This is a cross-post from my blog
I recently had a catch-up with Stuart Strathdee, Chief Security Advisor for Microsoft Australia, who is out and about throwing his weight into Microsoft’s message encouraging users and businesses to ditch IE6 as soon as possible.
Personal computers running IE6 still make up a significant share of online systems, which is quite a scary prospect given that its ability to handle security modern security threats is negligible. Engaging with customers is goi ...
This is a cross-post from my blog
I recently had a catch-up with Stuart Strathdee, Chief Security Advisor for Microsoft Australia, who is out and about throwing his weight into Microsoft’s message encouraging users and businesses to ditch IE6 as soon as possible.
Personal computers running IE6 still make up a significant share of online systems, which is quite a scary prospect given that its ability to handle security modern security threats is negligible. Engaging with customers is going to be an ongoing challenge for Microsoft - it can be extremely difficult to persuade users to make any sort of change to their systems if there’s no obvious reason to do so. Unfortunately most home users wouldn’t know if their machines were compromised or not, so as long as malware can sit quietly without causing obvious problems like crashes or popups, infections can go for a long time without detection or resolution.
Continued business us ...
My first look at Citrix's Xen Client Desktop Hypervisor
Yesterday I downloaded and installed Citrix Xen Client. Xen Client is a desktop Hypervisor which allows virtual machines to be run on the bare metal without the need to first run up a full operating system. This works in much the same as vSphere or Xen Server in the Data centre.
I should preface this post by noting that Xen Client is currently pre-release software and as such plays up a little. My first installation attempt was on a Lenovo x201. Whilst the install completed okay and the Hypervisor loads, the graphics drivers are missing and as such I was unable to load the GUI. I had been warned during installation that the x201 was not on the Hardware Compatibility List (HCL) and rightly so it seems.
Running over to Citrix.com I noted that the x200 was on the HCL so I grabbed one from the desktop team and installed Xen Client again. This time I was presented with a client screen. The interface here is very simple. Across the top of the s ...
We've just had a look at how to secure your connection in Part 1 so obviously everything is now all honkey dorey on that end.
Some of the other areas that you naturally have to look at is the environment/infrastructure/network and your data itself.
It's not much use to encrypt and secure the data that you're transferring if the actual data itself isn't protected.What i hear you say? my IT guys got that under control..firewalls up the wazzooo...everything's patched and service packed!Of course that's not really enough and we know this - we just sometimes choose to leave that in the hands of those other people - network engineers.
If we look at SQL Server 2008 then there's a lot of new capabilities available to us for data security.
SQL Server 2008 Encryption Capabilities
in-built cryptography hierachy for the creation of assymetric, symmetric keys as well as certificates
Transparent Data Encryption (using database encryption keys - DEK)
Signing of code modules (using keys or certificates)
Creating certificates It's not that complex to create certificates (btw, all SQL Server certificates comply with the IETF X.509v3 certificate standards) on SQL Server 2008. it's as simple as using T-SQL.Self-signed certificate
CREATE CERTIFICATE name ENCRYPTION BY PASSWORD = 'strong password goes here' WITH SUBJECT = 'subject goes here' EXPIRY_DATE = 'expiry date goes here'
Certificate from a signed executable file
CREATE CE ...
I guess this is one of my pet hates/loves - too often i come across applications that makes it's database connection strings freely available to anybody who knows where to look.
As a junior developer, the main focus is generally just to secure the connection string and leave it at that - the IT guys knows what they're doing. But, untold amount of data is being transfered across domains, networks or even in the public, without any thought for how that data is secured.
I'm sure many that's worked in the finance industry (banking anyone) is aware of how important it is to secure that data...we're dealing with money here, so it's an obvious fact that it needs to be safe.
So, how do we do it? or do we care? i mean, the famous last words of any application exposed to the public is "it wouldn't happen to me, right?".
Where do we start?
Encrypting web.config connectionstrings
The obvious first choice would be to take whatever details you're storing in your config files and make it unavailable - check (web.config isn't readable from the web....or is it?).
naturally we don't want to encrypt everything - so lets just do those that are important for now.
Connectionstrings, encrypt:
aspnet_regiis -pe "connectionStrings" -app "/AppName" -prov "RsaProtectedConfigurationProvider"
ConnectionString, decrypt:
aspnet_regiis -pd "connectionStrings" -app "/AppName"
Now we've encrypted the connectionstring - data is safe..nah, of course not - this only encrypts that section of the web.config with a machine-level key. data is still being transfered between servers in plain text.
Next is a simple way to ensure that your data is being encrypted - get hold of a SSL and use the SQLClient connectionstring ...
A simple look at the problems assoicated with breaking down security to users..
I wanted to take this first big blog on #autechheads (yes @aussienick I'm using hash tags in blogs now as well as emails and twitter) to talk about the second biggest buzz word after Cloud... Privacy. This one simple word that turns simple solutions into complex minefields with civil libertarians jumping out of their skin to protect the children.
Privacy (from a technology stand point) has found its way back into the media thanks to Mark Zuckerberg's little web-app Facebook. Whether it's due to the numerous and ridicules privacy settings, the terms of use, reports of a super-account, staff hacking profiles, how teens and all users should be more careful (http://www.smh.com.au/technology/technology-news/the-terrors-of-twittering-growing-up-in-an-unexploded-data-minefield-20100505-u8rk.html) or simply bugs that expose private information (http://www.smh.com.au/technology/technology-news/facebook-glitch-exposes-friends-chatter-20100506-ubqw.html) Facebook is under the spot light. ...