SMBv1 isn’t safe

Long before WannaCry used a recently patched Microsoft vulnerability to exploit machines, the recommendation was to disable SMBv1.

Disabling old protocols isn’t sexy.   You’re breaking things, and not introducing new features.  You’re fixing theoretical future attacks.   Perhaps the willingness to take on this challenge is a good measure of the maturity level of a security program.  Are you sitting around waiting for an attack so you have the justification of making a change.  Are you sitting around waiting for a vendor to do it for you.  (“I didn’t want to disable SSL3, your default browser did that.  Guess you need to update the server application.”)  Disabling it before an attack or before a vendor disables it for you is a better idea.  You can proceed at your own pace. You can do testing.

This doesn’t mean it’s an easy road.   One of my security product vendors sent out an alert today warning customers that disabling SMBv1 will lead to an unspecified loss of functionality.   This is the other problem.   Security vendors are all too lax about security.

Leaving old protocols enabled exposes you to vulnerabilities.  Frequently even when newer versions of protocols are available, downgrade attacks force you to use the vulnerable protocol.  Stay up to date on best practices.  Be proactive about your company security rather than just being a sit filler waiting for the next emergency.

Battery Backup PSA

One of the better things you can do to protect your money spent on electronics devices is have a good surge protector and battery backup.   If you’re like me, you only buy the kind where you can disable the audible alarms.  The problem with this is now you might not get any warning if the battery goes bad.

In some cases you’ll have the battery backup connected to a computer via USB and receive notices that way.  But in other cases where the battery backup is protecting home entertainment equipment, your cable modem or your router, you might not know you have a problem until you happen to be home during a power hit.   Imagine how many times your equipment may have taken a hit that you didn’t know about.

The battery backup I just purchased says the battery is good for about three years.   So put it on your calendar.   If your battery backup has a visual indicator that its broken check that.   And you may want to use the software that comes with the battery backup to connect to each and manually run a self test.  (consult your own UPS manual about the best way to do that.)

Wanna Get Away – Generals Password

I see this was posted 3 months ago to Youtube, but its new to me.


This being blogging, lets over-analyze.

The General’s password is ihatemyjob1.

Not a bad password.  Using a passphrase is easy to remember.  Easy to type.
No doubt he should have capitalized the “I”.  Most systems can handle spaces, which would add some length.  Putting in a “@” in for a and a “0” in for o would add some complexity.  If the password file is compromised, this wouldn’t be enough to prevent breaking the hash.  But its good for a day-to-day logon.  For accounts where a password safe can be used to ease login, random would be better.  But that doesn’t work for every account.

The General’s password is echoed to the screen.   Typical security controls require that your password not be displayed on the screen.  It should be replaced by asterisks.  The General would also have been better entering it himself and not telling a subordinate the password.  He could have turned off the output of the computer to the big screen temporarily to prevent the room from seeing the password.

In pressure situations, its easy to take actions that compromise our security.  This is the type of feeling that phishers, and fraudsters often try to create so you just act and not thinking about if what you are doing makes sense.

Yes, it’s just a funny commercial.  But it can also be used as a teachable moment.  Hopefully without sucking all the fun out of the commercial

Configuring GMail to check ISP Mail

My primary email address assigned by my ISP can’t be changed.   It gets a lot of spam  In the past that wasn’t really a problem because I rarely used it for anything, but a few years ago I foolishly began using it on resumes.   Its format is first initial + lastname @ ISP so its relatively professional.   Unfortunately there are other people in the world who think that is their email address.   That doesn’t help the spam problem.

I could just not check it.  But I might miss important emails from my ISP.

I decided that rather than continuing to see spam on my iPhone, then subsequently opening webmail in order to report the spam that I would use GMail to pull my ISP mailbox.   GMails spam filters are much more robust, and thus far I haven’t had a single false negative or false positive.

Configuring GMail to check external accounts using POP3 is easy.   You can google that up if you really want to know how.  During the config, you select whether to leave a copy of the message on the server.   While setting this up, you can set up all mail from this account to be stored with a specific label so it doesn’t get lost in all your other Google Mail.

When I was searching for how to do this, I did see some people who caution that Google pays attention.  And if don’t get that much mail, it will check less and less frequently.  That isn’t an issue for me since nothing of importance occurs on that account.  But it is something to be aware of.

Happy with my decision to leverage Google Mail’s spam filter against my ISP mailbox I then configured my iPhone to no longer check that account separately.

Siri Lock Screen Bypass in news your non security friends read

This morning I read an article on Good HouseKeeping (don’t make fun, it was a link on one of the news links that get pushed in your face on my start page.  I think it was Bing. I hate the news links but like the pictures).  It’s interesting to see what security items make it into websites for ‘normal’ people.

The scare headline read “A New iPhone Hack Lets Anyone Use Your Phone”.  It reports that Siri by default allows some actions even when the phone is locked.    Pranksters can use Siri to send texts to contacts, make calls, and update Facebook.

In the past full access to the device has been achieved though this type of Siri access.  This is one argument for disabling Siri at the lock screen (Settings -> Siri -> Allow Access on Lock Screen (off)).   While you lose some functionality, you are no longer susceptible to practical jokers or people with more nefarious intent.

I’m not aware of a Mobile Device Management platform that can disable this setting.  If you’re managing an enterprise environment where the MDM platform cannot enforce this setting all you can do is educate, instruct, and require.  (Where I work, I had to sign a form confirming I’d disabled this setting).


Password Expiration

FTC Chief Technologist Lorrie Cranor wrote in March it is time to reconsider mandatory password changes.

Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)

The prime reason given is users pick bad passwords.   That doesn’t seem like a justification to me to not change passwords.  It is a problem that could be avoided by using a password similarity rule in your password rules.  You could force longer passwords to encourage passphrases.   I do agree government password policies get a bit ridiculous (8 digit pin that must be changed used in conjunction with SecurID.  That just seems like overkill).

I like to use a password manager.  This allows most of my passwords to be something long and unknown.   They are protected by a strong password, and a second factor of authentication.   Educating people about using these tools seems like a great way to go.  At any rate, I didn’t want to make this rare post a rehash of old password arguments.   The Cranor post is worth reading.

This week Troy Hunt of received a copy of 68 million accounts from Dropbox.  A hack occurred in 2012 and at the time Dropbox forced a reset to some accounts.  If a user didn’t change their password since that hack they would be effected.   If they changed that password, but used the same credentials elsewhere they would be effected.

The idea of changing the password only in case of known compromise is defeated when you realize that you don’t always know about compromise.  Companies don’t disclose.  Or they don’t force a password change and you miss the announcement.  Or you change the password for that account but use the same password somewhere else.

While changing a password every 90 days is overkill for most accounts, there is a happy medium between that and never changing them.   Using a password manager (or at least the correct password manager) will let you know the age of your password (age starting from the point you add it to the database . Obviously it doesn’t know the actual password set date.  Some password managers are able to attempt change the password for you, so you only have to click a button (works on specific sites only).

In either case proactive monitoring for compromise is important.  You can enroll your username or email at to be notified about new breaches that affect your accounts.  Some password managers have this functionality built-in.

IRS Phone Scams

I received the following voicemail on my home number today.

“The reason of this call is to inform you that the IRS is filing lawsuit against you to get more information about this case file. Please call immediately on our department number 347-637-6615. I repeat 347-637-6615. Thank you.”

While tax season is the high season for this particular scam, “The IRS is filling a lawsuit against you” strikes fear into the heart of the recipient any time of year.  Scams are designed to get you to take action.    Even when you’re familiar with scams like this, you take pause.

The IRS will send written notice of tax due.  Phone calls like this are not the norm.    For more information check out this this alert at the IRS website.

Vulnerability Scanners and HTTP Headers

This week Tenable released a new “plugin” (what they call a vulnerability detection) named “Web Server HTTP Header Information Disclosure”, plugin id 88099. In spite of even the title saying it only an information disclosure vulnerability, they rate this a medium.  In my environment that means we need to address it.  I think its a little crazy for an information disclosure vulnerability to be rated that high. It turns out Tenable has ceded vulnerability severity ratings to the CVSS system.  So because this has a CVSS score of 5 it has to be rated moderate.

Now with SecurityCenter, I’d be able to change the security severity of this detection.  I’m not sure that’s possible in Nessus.  Even so, when scanning servers for other people, you cant just change the results of the scan.  And now the problem, the other party’s security people dont have the ability to make rational security decisions.  They just want all the detections gone.

Having a web server banner is one of those vulnerability detections from 15 years ago.  Its kind of weird that Tenable is just writing this detection now.   Having a server banner visible isn’t some vulnerability in the server software.  Its part of the standard.   Who is removing this information supposed to stop?   It might stop a script that checks server versions and the applies a specific exploit or test (perhaps it would stop a naive vulnerability scanner).  That’s about it.

It would be one thing if it were easy to change.  For example removing “” is easy to remove.   Removing an IIS version is probably going to require URLscan as if this were IIS4.

The Case of the missing 5 hours

Animated_Spiral_Clock_with_2_pointers_by_Robbert_van_der_SteegI had some Windows 2008 R2 servers in Amazon AWS EC2.  To save some money, they were turned off when they weren’t needed.   I noticed when I did boot them that they had some time issues apparently jumping from Eastern US time to UTC time for a while before switching back.

It seems when you search for time issues, specifically when you have a *nix Host Operating System set to UTC and a Windows guest OS set to a local timezone people will link you to the “RealTimeIsUniversal” registry key.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal = 1  REG_DWORD

The problem is, that registry key was already set.

Further searching brought me to Amazon’s article about setting the time for a Windows OS.

This had a couple of suggestions.  To make sure that KB2800213 and KB2922223 are installed.   After some searching it turned out that KB2800213 was superseded by KB2922223.   Also KB2922223 was already installed.

Checking the Windows Event Log found the time was changed by the Citrix Tools for Virtual Machines service.   “C:\Program Files (x86)\Citrix\XenTools\XenGuestAgent.exe”

I verified that this service was causing the issue by restarting just the service.  Sure enough, the time changed to UTC.  Then when I opened up time in Windows and had it check against the NTP server, it changed back to local time.

To resolve the problem, I upgraded the Amazon EC2 Paravirtual Driver.   This had a prerequisite to update EC2Config.

With a solution found and tested on one server, I turned over the resolution on the other servers to the System Administrators.

Incorrect time impacts security logs and any subsequent troubleshooting or investigation.  According to Amazon, issues like this can cause problem with DHCP leases.   There can any number of unknown application problems.   I expect Kerberos wouldn’t be very happy either.