Posts tagged ‘Backup’

« Previous Entries

Out of Office

June 30, 2010, 12:30 am

Are out of office (OOF) messages a security risk or a useful tool?   (Microsoft uses the acronym OOF for Out of Facilitiy.   I’ll be using that rather than OoO for out of office).

I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email.  Rather than dismissing it out of hand, lets examine some of the objections to OOF

Out of office messages could inadvertently disclose information.  “I’m out of the office, check with Joe at 555-12324.   Now the bad guy has another contact name.   In this era of LinkedIn, I’m not sure how big a disclosure this would be.  You decide for your environment.

OOF messages could verify your email address to spammers.
 Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.

OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.

OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there. 

Now that we’ve gone through some OOF FUD, how can you OOF safely?
1.  If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.  You can also perform OOF only for people in your contacts.

2.  Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes.   I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.

3.  The less said the better.

At work, you kind of need to let people know you wont be getting back to them for a while.   There may be a few businesses (e.g. financial) where the risk does outweigh the courtesy.   For most of us I think a OOF on the work email account isn’t the end of the world.

“Best Practices” are for people who cannot perform a risk analysis.   You’ll need to consider the risk environment and decide whether OOF is appropriate.

Tags: , ,
Category: Awareness, Policy  |  Comment

Symantec Password Survey

March 26, 2010, 8:12 pm

Symantec published the results of a survey regarding password habits of people who read their Security Response Weblog. Nearly 450 readers responded. As you readers of a security blog, their responses probably are far from the norm.
Links: http://www.symantec.com/connect/blogs/password-survey-results
Not surprisingly, the respondents have a lot of passwords. 66 percent report having more than 10 passwords. Its hard to keep track of that many passwords. This leads people to do dumb things.
23 percent of respondent let the browser keep track of their passwords. While Firefox can use a master password to secure these stored passwords, I suspect most people dont use that feature. Browser password caches are merely obfuscated and are not a secure place for your passwords.
7% have a note near their computer. This is ok if your office is secured from outside visitors. But even the home office of a hermit occasionally has workman visiting.
11% use a Word document on the computer. Word or Excel documents can be lost if the computer isn’t backed up. It is also not a secure way to store the passwords. If you’re putting all your financial passwords in one place, wouldn’t it be a good idea to secure them. Perhaps they are in Word and password protected. But that wasn’t specified in the survey.
59% rely on memory. Passwords for work should never be in memory only. If you are hit by the proverbial truck how much productivity will be lost regaining access. For more personal accounts, memory indicates possible password reuse at worse or use of a password scheme at best.
33% use a password manager. That’s great but I found out in 2009 that you need to make sure your backups work if you’re relying on this method.
Check out the link for the rest of the results of this Symantec survey.

Tags: , , ,
Category: General  |  Comment

Telecommuting Security

March 25, 2010, 9:09 pm

After the February snow storms in the DC area there was a plethora of articles advocating the expansion of telecommuting in the Federal Government. The contractors that support the government didn’t close doors. They continued to work because many of their employees already work remotely in structured and unstructured telecommuting. Telecommuting brings new security risks.
Joan Goodchild writes about Four Telecommuting Security Mistakes in ItWorld and CSOOnline. That s the starting point for this post.
1. Careless use of wifi and accessing unsecured networks
I don’t think people understand the security implications of “borrowing” someone else’s wifi or even using the free wifi hotspot at Panero/Wegmans/local shop.
Wireless is a shared medium. You don’t know who is listening in or even potentially hijacking your connection.
2. Letting family and friends use work issued devices.
We’ve seen laptops destroyed by letting the kids use them. (Although we could wonder if the user didn’t want to fess up that they were the one dumping the drink on the laptop repeatedly).
The kids violate security policy by installing P2P software, potentially sharing out all company data on the laptop. My favorite was the time the VP who signed the memo banning P2P was caught with P2P on the computer. Must be the kids.
If you allow your users to use USB thumb drives and the drive is shared with the kids, the data could easily be formatted or stolen.
3. Altering security settings to view blocked sites
Sadly this isn’t an issue for us because there is no filtering when you’re not at work.
People are apt to disable any security control that keeps them from their goal.
4. Leaving work issued devices in an insecure location
This is the standard problem. What is a secure location. Laptops are stolen at work. Laptops are stolen from the trunks of cars. You’ll recall the Veterans Affairs case where a laptop was stolen from home.
When you’re at the Starbucks, do you leave the computer on the table while refilling your drink, or hitting the restroom. People are far too trusting. Particularly when its not their property that will be stolen.
5. “Backing up” corporate data to a home computer or NAS
This should be against your companies policy. Proper enterprise backups don’t occur by copying files to what is probably an insecure location. Its just bad.
6. Emailing corporate data to your personal email account
Corporate and customer data have no place in personal email.
7. Secure disposal of papers
While at work its easy enough to put documents in the document destruction bin (which is pulped). At home if you’re lucky the data is shredded. Then again, dumpster diving at the CEOs house might turn up a lot of corporate data.
8. Incident Response
Was incident response built into your telecommuting program. Do users know who to call?

Tags: , ,
Category: General  |  1 Comment

Do you have backups?

December 28, 2009, 2:15 am

You dont have backups unless you have successfully recovered from them. Sometimes you just have to learn lessons the hardway if you dont take the time to learn them from others.
I’ve heard a lot of commercials lately pushing Mozy or Carbonite that pretty much guarantee that everyone has a hard drive failure at some point. This month the hard drive in my Dell Optiplex 755 at work gave up the ghost. Two weeks short of its end of lease. Very frustrating. But it was about to get more frustrating.
The enterprise desktop backup product we use is configured to backup the user profile, c:\data and c:\lotus. Unfortunately Vista is not a standard supported operating system at work, and the backup admin made a mistake when he configured the backup product to backup c:\users. It didn’t backup my user profile at all. So all I have is the backup I made in July when I migrated from XP to Vista. So I’m out quite a bit of work.
This really makes me wonder about all of my data. The trust is just gone right now. For my work computers, Should I be using Windows Easy Transfer to backup my files on a regular basis. Should I just take a ghost image on a scheduled basis, so I can recover easily? Hmmm, side note, I should check the software inventory for evidence of users performing rogue backups with Carbonite/Mozy etc.
For my home computer, I realize that only using Mozy’s free service I have a lot of mp3s and photos not backed up. That is important stuff to me. I also have never tested recovering even one file from Mozy. Need to do the due diligence.
Well, anyway if you’ve read all this and you want to check out Mozy for your home backups click on this link. We’ll both get 256MB extra storage space once you start using Mozy. Like I said though, I”d suggest verifying even a rudimentary recovery.
Its so easy to assume that things work correctly. Most of us dont have the time to verify that other people have done their jobs correctly. But when its going to really hurt if backups fail, it doesn’t take that long to do a test restore. Particularly if you have access to initiate the restore yourself.

Tags:
Category: General  |  1 Comment

SEPM Upgrade Travails

October 3, 2009, 3:12 pm

Last night I started upgrading Symantec Endpoint Protection 11.0.4 to 11.0.5. I’ve been doing these upgrades since 7.0.1 and they rarely go smoothly this one did not disappoint. As with most of these debacles, the development server upgraded without an issue.
The production server looked like it installed cleanly until I went to start the SEPM service after the install. The service exited immediately after installing. I searched symantec.com/connect and symantec.com/techsupp (support forums and knowledgebase). I got some logs to check and things to verify, I did a repair install multiple times. Ultimately I didn’t see a solution.
Initiated the disaster recovery procedures documented in the knowledgebase (and in a corporate document I wrote). First I made sure that my backed up keys and passwords were still good. Then I uninstalled SEPM, and reinstalled it. As it was approaching 3:30 AM I decided to let the database restore run while I slept.
The next day I continued the DR procedures and found the GUI wouldn’t allow me to use what I thought the database password was. I unnecessarily went down the road to change the password through ODBC. It turned out I was using the wrong password. (which happened to use characters the GUI would not allow)
Once the database password was found, I had a new problem. I was restoring from a backup of the database. Of course the database has an old schema. I tried a couple things to get it to upgarde. I believe it was a upgrade.cmd file that did the trick.
At that point I was able to log into SEPM, I verified that my configuration was still there and my clients were able to report in.
The (hopefully) last little piece of this stuggle was finding 11.0.5 missing under client install packages. I believe the database restore was what caused that to go missing. I found instructions to manually import.

Tags: , , ,
Category: Antivirus  |  1 Comment

Mozy and Flight 1549

April 23, 2009, 8:21 pm

We’re all familiar with the story of Flight 1549′s landing in the Hudson River. This week’s Mozy newsletter told a story of two sets of Jones (sorry, obscure Big Tent Revival reference). One man performed backups by copying files from one computer to another. He also used USB drives. The second man used online backup from Mozy.
After the plane crashed the first man lost both computers and the USB drives. The second man contacted Mozy and received the backed up date on DVD in four days.
Mozy of course is pushing this story to get their name out. Its been carried by a USA Today Technology Blog and at ComputerWorld. I’ve seen some people charge that it is somehow creepy to be using this in advertising. I disagree. First of all, no one died. Second, war stories have a way of getting through to people in a way that no amount of cajoling can accomplish.
I do kind of wonder about the details of this story. A Computer Associates employee lost 250 GB of data due to a haphazard backup scheme. Don’t they use their own products? (lol perhaps that was the problem). The guy was a consultant. It should make you wonder if your backup software works for people that are constantly on the road. Does your security system and software patching work for road warriors.
If you’re not using a backup solution, check out Mozy, Home users get 2 GB backup for free. If you click on this link and start using Mozy (signup, install and backup files), we’ll both get an extra 256MB of free backup space on top of the 2 GB.
I know, I’m at risk of sounding like a commercial. This something I used and a story that I liked.

Tags: , ,
Category: General  |  4 Comments

Shmoocon 2009 Day 1

February 8, 2009, 7:41 pm

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I’m not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.
Opening Remarks
by Bruce Potter
People are getting owned a lot.
Trends

  • Increased success in getting past our defenses
  • Increasingly malicious motivations. The bad guys aren’t after web defacements
  • In spite of the above, we haven’t changed our methods. Its a lot of the same
  • Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?
Digging ourselves out
As with most security talks and papers I felt like a solution wasn’t really there. Fixing fundamental problems. I’m not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn’t always have notes.
Open Vulture – Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O’Toole and Matt David
I didn’t take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.
Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you’ll have problems with PVC tubing not being rated for the PSI.
The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.
The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.
Under U.S. law they felt they could not send out a “uninstall” command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.
No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.
Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.
Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.
I found the talk interesting. When you’re doing manual static analysis of files, this could come in handy.
Decoding the Smartkey
by Shane Lawson
Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.
Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.

Tags: , , , , , ,
Category: Antivirus, General  |  Comment

Moving

January 27, 2009, 10:36 pm

A little housekeeping blog post.
I’m moving webhosts this week. My old host is progressively more annoying. A few years ago the owners sold out to a company that operates many web hosting brands. After quite a bit of migration headache, things seem to have stabalized. Nevertheless, my contract is finally up, and I’ve decided to move on. I have a real problem with the attitudes displayed by the moderators on the hosting companys forum. It was once a place of help. Now all they do is quote “we are not $company employees, contact $company support.” So much for peer to peer help. The last straw for me was when many customers were hacked and the company didn’t communicate beyond forcing a mass password change.
The new host has SSH access which should make routine maintenance a bit easier. They also offer 50 GB of space off for non-website related things like backups.
During the transition, I decided to refresh my style a bit. (although I am worried that this one is used by too many people already). The new style caused my AJAX comments to not work. So we’re back to the default comment submission method. That means more spam in the moderation queue.
So pardon the dust as I find widgets to add/remove.

Tags: , ,
Category: Housekeeping  |  Comment

Mozy online Backup

October 15, 2008, 2:41 pm

I’ve written before about Mozy the online remote backup solution.
Through the end of October, if you signup and begin using Mozy backup, we both get an extra 512 MB of backup space. (this is normally 256 MB).
Your account has 2 GB of backup space for free. This is an easy way to get a bit more. The software is relatively easy to use. Give it a shot so that later you aren’t crying about your lost data.

Tags:
Category: General  |  Comment

Get Healthy Plan for Small Business

August 23, 2008, 8:32 pm

Greg Playle’s article “The Seven Week Get Healthy Plan for Small Business” in this months ISSA Journal (ISSA Membership Required) outlines 7 security steps for small businesses to consider.
One of my friends recently received a telephone call from his doctor asking if he had an appointment. An upgrade of the appointment system had gone south and they were reconstructing the appointment book by calling all patients and asking them if they had an appointment. Whoever is handling the IT duties at these small businesses apparently doesn’t know to take a backup before starting a upgrade.
I’ve wondered many times just what the Mortgage guy or my Dentist is doing to protect my personal information. I feel like I don’t know them well enough to give them this article, at the same time as a customer don’t I have the write to be proactive in making sure my data is protected.
There are a couple of errors in the article. The first I hope was an editors mistake. While describing how to gather the physical address to use to whitelist what servers are allowed on the wireless network, the example given is an IP address.
The bigger problem is that the author has apparently not read George Ou’s Wireless Security Myths that Will Not Die. If the author had read that he would not be making some of the wireless security recommendations that he makes.
Do not broadcast the Service Set IDentifier (SSID). Kismet will reveal hidden SSIDs. Not broadcasting it doesn’t gain you much except against the causal browser. The casual browser is already stopped by your use of WPA2.
Worse yet, your client computers will now have to probe for that network everywhere you go.
See also Josh Wright’s article Issues with SSID Cloaking.
PCI 1.2 no longer requires the disabling of SSID broadcast. The message is starting to get out.
Turn on Wireless Security to at least 128 bit WEP
You’re only buying time by using 128 bit WEP over 64 bit. As the retailers have learned, NEVER USE WEP if you have something to protect. Since this article assumes you need to protect the small business, I think the recommendation needs to be a bit stronger. I think even WPA-PSK is suspect for a work environment.
It seems like some of the things suggest are belt and suspenders solutions. Others are more like belt and Hawaiian shirt. The belt is doing the work, the shirt is just there for looks. If you have WPA2 do you really need DHCP reservations and MAC address filtering? If they break your encryption are those things really going to help? Probably not.
The article over all is good. The experience of finding wide open wireless at a small business is far too common. This article will help.

Tags:
Category: General  |  Comment
« Previous Entries