On this date in 2004, I started this blog.
In some ways it was about playing with the technology, first MovableType and later WordPress. In other ways its been a place to dump my brain with linked I wanted to remember. It became a place to talk about my experiences. Other people’s blogs and community posts have helped me out. If I can save someone else a few minutes, why not give back in that small way.
I don’t know what the future will hold. Whether you’re a regular reader so someone who drifted in on a bing/google search, thanks for the read.
Its been rather quiet on the blog for a while because of an unfortunate incident that occurred back in March.
I never really believed I was anonymous. After all, the domain was originally registered publically rather than via a proxy, so it’s a simple matter to get my name and address. Nevertheless it is a bit disconcerting when a big yellow vender goes to the trouble of contacting your workplace lawyers over something you write. They felt that their product roadmap works best as a surprise to customers. So, lesson learned. Next time you’re told its ok to blog something, get it in writing if it’s not already on the internet. What they don’t realize is that I could write the same article without the information they provided and they look much worse.
The greater can of worms that was opened is the company social media policy, quietly enacted last November, which forbids me from talking about the work vendors do for us. So we may just have cat pictures until I feel more comfortable giving my direct, unfiltered, caustic opinion.
ComputerWorld’s Best Careers for the Introverted IT Pro article caught my eye. Information Security Analyst is one of the suggested jobs. Laurence Shatkin, author of 50 Best Jobs for Your Personality says, “This career is so focused on data and, to a lesser extent, on hardware that it offers many opportunities for solitary work.”
This is so opposite the mantra that I hear from people regarding infosec work, I thought it worth comment.
According to the Bureau of Labor Statistics, Information Security Analysts:
Plan, implement, upgrade, or monitor security measures for the protection of computer networks and information. May ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure. May respond to computer security breaches and viruses
Ok, nothing about chatting people up there.
But the Infosec Institute takes it further:
They are responsible for implementing any training required including instructing staff on proper security measures both in the office and online. The security analyst must work with business administrators as well as IT professionals in communicating flaws in security systems. They recommend changes that will improve every aspect of company security. The security analyst is also responsible for creating documentation to help the company in case there are any breaches.
It isn’t enough that the Infosec Analyst needs to have knowledge of every aspect of Information Security within a company. They are train people, notify of vulnerabilities, work with business units, and influence executives.
It simply isn’t possible to be all things to all people. Often the people that are great at influencing, dont have the same drive to staying current on the technology. But to say that Infosec Analyst is a great job for an introvert because you just deal with computers and data is dated. People are the layer 8 problem in security. You ignore that to the detriment of your information security program.
On the whole, I think that ComputerWorld has succeeded with link bait, but failed to make great article.
The SANS blog post today about an AVG false positive in Windows XP reminded me that we’re just over a year away from XPiration. (Think that will be a hashtag next year?). So I’m getting an early start on the tech media flood of articles on the impending end of support for Windows XP. On April 8th, 2014 you will no longer be able to get security updates from Microsoft. On my network there are only a handful of XP machines left thanks to a successful Windows 7 migration. Those machines should have forced retirement through lease expiration by that date.
I’m in a small to midsized environment, and I have the tools necessary to do my job. Among the machines I control we have software inventory through SCCM. Forescout provides OS identification for managed and unmanaged systems. Because of this, I shouldn’t have any unknown systems popping up.
The retirement of Windows 95 wasn’t so simple. It wasn’t a retirement of 95 per se, and I dont remember if this was before or after the Windows 95 retirement date Dec 31, 2001. Rather we forced out Windows 9x by increasing the security requirements to a point where existing 9x clients didn’t work. It turned out that the printer that cut checks was Windows 95. smh.
A couple of good updates if you’re a LastPass Enterprise customer.
The LDAP sync utility version has been updated and will now run as a service. Before it ran as an application, and that didn’t work well for me. The LDAP sync talks to your directory and updates new users and disabled/deleted users according to the settings you provide.
The second update is a new video for enterprise users. The provided training videos are great. But they don’t cover topics specific to the enterprise product. I also was looking for a way to host internally. If I link to Youtube the user will see an advertisement before the video. The “what’s related” after a video caused me embarrassment in a training session. (Next time, I’ll disable “what’s related” in the link). This new video is good.
Both were issues or annoyances I had, and both were quickly fixed.
At Shmoocon 2013, Jake Williams and Mark Baggett presented a talk on techniques for malware persistence.
We all know the correct course of action with an infected computer is to wipe it and start over. But when it comes down to it, we ignore that advice and attempt to recover. The reasons for this are many. The need to play superhero. Boredom (if you haven’t been cleaning computers, it sounds more challenging than the usual same old). There is also pressure from the business (or from the family member). They don’t want to reload everything. They may not even have the install media.
What is more downtime for the business, waiting for a system reload or having the system be “reinfected”.
When even the average tech might think that Malwarebytes is enough, its hard to convince business to just wipe the drive. And sometimes its hard to convince ourself. Wiping the drive isn’t a personal failing, and this talk from Shmoocon attempts to convince you of that by outlining re-infection techniques you may not have thought of. Autoruns, msconfig or hijackthis aren’t the the beginning and the end for how malware may return to your machine.
The slides are available at www.wipethedrive.com. It’s a good talk and worth checking out the slides.
On January 30th, the New York Times published a story about themselves. They were infected with an advanced persistent threat, and had called in Mandiant to clean up the mess. The quote repeated many times on twitter was
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
Any antimalware failure generates a lot of schadenfreude from people who think that wouldn’t have happened with their antivirus choice, wouldn’t have happened to their Operating System choice, or just think antivirus products don’t do anything useful.
I was more curious about what they were running and what their other security protections were. For example, if they’re running Symantec Antivirus version 10, then they’re a bit behind the times.
Initially Symantec choose not to comment. But in a statement released today (31st), Symantec stated:
“Advanced attacks like the ones the New York Times described in the following article, (http://nyti.ms/TZtr5z), underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”
It is important to be on the current release of your antimalware product, and to learn about and use the available features. This doesn’t guarantee protection against zero day targeted attacks. Nothing does. But it is a good place to start.
WordPress 3.5.1 is out.
This is a maintenance and security update.
The security updates are for:
■ Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team.
■ Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team.
■ Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue.
People often think they don’t need to worry about security because they have nothing of value to an attacker. In October Brian Krebs posted an updated chart on the value of a hacked computer.
The Indian is reported to have used every part of the buffalo, letting none of it go to waste.
While not every bad guy is going to treat your computer as something to be revered so if compromised you must wring every dollar out of it, any one of these items is a financial motivator for them to attack any computer user. The original poster by Krebs is below.
This diagram has now been updated by SANS.
High res version.
Your accounts can be sold. Your data can be held for ransom. Your computer can be used to attack others or host malicious files to infect others.