General: August 2007 Archives

For some reason the Cisco VPN client was available in both an Installshield package and a msi package. It became time to upgrade recently so I reluctantly re-entered the realm of Cisco software. This is something truly to be feared.

The installshield version is rather easy to install and brand, although it appears to be impossible to import two root certificates. The MSI version requires creating a transform file and has some really bad instructions about using Microsoft Orca to do this. I also found out that if you have an installshield version of the Cisco VPN installed that you must remove it and reboot before attempting to install the MSI version (and then reboot again.)

Unfortunately Cisco has pulled the installshield version of the latest release and they report that no further installshield versions will be released. I guess I'll have to figure out how to package the MSI version, because I just don't want to deploy an older, slightly vulnerable Installshield version, particularly when no further Installshield versions will be released.

On August 21, the SANS Internet Storm Center noted that the storm worm was now be hosted on servers using ngix in the lastest wave of attacks. They further noted that signatures based just on that server name were a bad idea because ngix is a legitimate web server.

I notice that my Cisco IDS is reporting instances of the Storm Worm. A lookup of that signature in the Cisco IPS signature database found that "the signature triggers on seeing the string "Server:ngix"in the return web traffic." While it does note that this could be legitimate traffic, this really wastes my time.

On paper, security is supposed to be a consideration in determining what products are purchased at my company. That message hasn't filtered out to all parts of the IT department unfortunately. Its not that I want to have to be at every vendor meeting, it would just be nice if the security considerations came before the purchase order is created rather than as the product is deployed to the test bed.

The latest product that leaves me scratching my head is Hummingbird DM.

Hummingbird DM is a document management solution that we have purchased as part of a decision to move away from home grown Lotus Notes databases.

To use Hummingbird DM you have to install a client that digs in deep and takes over much of the computer. What I've noticed is this client opens a website on port 81. I'm not sure of the purpose, but it seems very unnecessary. Permissions also seem to be an issue. I'm sure there are more folders than the ones I have access to. In the folders I can see, I can see sensitive data. What I'm told is, it is up to the user to set permissions when they upload a document. This goes against the best practice of not leaving security in the hands of the end user.

Last month, I read a blog entry over at zatznotfunny about Mozy that got me thinking. Perhaps its time to give in to best practice and backup my stuff. I last backed up my home computer in 1995. It was an AST computer with a built in tape drive of some sort. That computer has been in a closet for 8 years.

Backing up to a USB (or preferably eSATA) hard drive is fine, but if you don't take the drive to another location you still have potential data loss issues. Once you've done that, how do you guarantee a reasonable schedule for backing up?

Some people suggest that I back up to the extra disk space provided by my web provider. If I did that, I would have to somehow schedule backing up, encrypting the data and copying it to the remote server. My web provider's Terms of Service state that the storage space is for files necessary to the website. So that is not allowed anyway. Others mention Google Mail or Amazon's S3 service as a great way to store data cheaply. I think its important to have software that you can count on to back the files up. I don't want a kludge.

So that brought me to Mozy. Free for the first 2 GB of data or 4.95 per month for unlimited. That sounded pretty good. If you exclude your media the free account may be good enough. If you want to backup the videos of the kids first recital, than cough up the dough for the unlimited account. ArsTechnica had a review in July of several similar products and Mozy came out on top. After checking out their site, I googled to get the other side. A CNet blogger doesn't like it, but I think he's being unusually picky.

As I mentioned, data privacy is a concern when you send you data away. With Mozy there is an option to backup with their key or with a key you provide. The more paranoid would say that since it is their software doing the encryption, either key could really be known and stored by them. I chose to go with them picking the key for easier recoverability. I'll choose to trust their privacy policy that they do not look in data files. Hopefully controls are in place to prevent low level, uncleared employees from obtaining access.

My data is encrypting now. So far I'm pretty pleased. I'll have to test recovery (they say it may take some time to create the recovery set for you).

As I say, I just installed it, so I'm not giving a full recommendation. However, you do need to be doing something with backup. If you do choose to try out Mozy, please use this link https://mozy.com/?ref=M447CB. If you sign up from that link and begin backing up data, we'll both get a free256 MB bump up.

Last month there was a data breach at a Fidelity National Information Services subsidiary. Today, I notice they have a job posting for a Project Manager in Security/Audit/Compliance.

So is this
a) coincidence
b) locking the barn door after the horses escape
c) someone got canned.

Similarly,a few weeks ago I saw a job for a deputy secretary for infosec at the U.S. Department of Veterans Affairs. They've been having issue after issue with data disclosure. One wonders if they are just hiring the person who will take the blame for the next incident.