Beginner’s Mind

Shoshin is a word from Zen Buddhism meaning “beginner’s mind.” It refers to having an attitude of openness, eagerness, and a lack of preconceptions when studying a subject, even when studying at an advanced level.

As IT people we aren’t always known for our attitude of openness, eagerness and lack of preconceptions. Its an easy field to get burnt out. And because of the ever increasing task list, everything is a task to finish in the most expedient way possible. Frequently this closes the door on finding new ways to do things, and listening to new ideas.

Thinking about shoshin as we approach the day could restore some joy. Or at the very least help us be better at our job.

Secure File Deletion

Today I received an email inviting me to buy a Easy File Shredder product for a special price of $15 instead of the usual price of $50.

Securely deleting sensitive data is really important. But is buying a product really needed?

This type of thing has generally been needed because when you delete a file, you are essentially marking the file space as unallocated, and until the space is used for new files, recovery software can “undelete” it.

For this reason, if I were deleting a sensitive file at work, I might use a something like sdelete from Microsoft Sysinternals or if I’d neglected to delete it securely, I’d use something like ‘cipher /w:F’ to wipe these file rementants from the whitespace.

Now I hear what you’re saying. These command line tools are fine, but a normal user might be needing a GUI. CCleaner has a securedelete functionality, as wells as a drive whitespace cleaner that can be used.

But this isn’t even the worst part about this. Many, if not most computers are now using SSDs for performance. The Secure File Deleting device I’ve given are for traditional drives. With SSDs you cant securely delete a file by overwriting the original blocks. There are no file blocks. A product like this is of questionable benefit.

What you need to do instead is make sure that you have full disk encryption enabled. On Windows this is bitlocker for your main drive and bitlocker to go for your removable storage. Then if someone were trying to recover files that you’ve previously deleted, they would need to first successfully authenticate to the computer.

Its the most wonderful time of the year – Patching

does that say patching plaster or patch faster? 😉

Remember back when Summer and Christmas break was a high time of concern.  The kids were out of college and ready to try out their skills.  Christmas was worse because so many people were out of the office, no one would notice.  Or if they did the response would be limited.   Now that’s what we call Tuesday afternoon.  Now days, the sysadmins have to deal not just with college code projects, but insider threat, money motivated attackers, and nation states.

This week, Microsoft’s “out-of-band” security update reminded me of the old times.    An out-of-band update is simply a unscheduled one.  Its released out of the regular schedule because it is currently being exploited.  This lends a sense of urgency.    Some companies may have already bypassed December updates because of staffing, or scheduling.  Anyone in retail certainly has a change freeze in effect.  Now on top of that there is a special update for Internet Explorer.

Information about the update for Internet Explorer is available here : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653 

Kanye’s Password

Everyone and his brother, inside of infosec and outside has been chortling at Kanye’s iPhone password.   Its 00000.

Not everyone is in on the joke.
Some express OUTRAGE.  “how dare you share that man’s password” (it was on CNN, its out there now).
Some (and these remind me of the 4D Chess MAGA people) theorize that Kanye is thinking 12 steps ahead.  He knew his password input would be on camera while at the White House so he temporarily set it to 00000.
And the last were the virtue signalers I mentioned.  “how dare you password shame Kanye, at least he has a password.”

And it is true.  By HAVING a password, encryption is enabled on the iPhone.
it is also true that few of us would be able to exploit knowledge of Kanye’s password as we don’t have hands on his phone.

But lets be honest.  A password of 00000 is pretty hilarious.

Self disclosure – one of my older accounts has failed the LastPass password audit because the password was compromised previously, and its used in more than one place.   But given the difficulty in updating this particular password, and the low risk level, I let it be until a forced password change recently.   Sometimes you just use dumb passwords.  And if it filmed I’d be razzed for it too.

Airplay Annoyance

I’ve never used Apple Airplay before.   I have an AppleTV that was free for paying  for a 3 month subscription with DirecTV Now.  But I hadn’t intentionally fired it up since cancelling that subscription.

This week I bought a new TV.   While watching The Dark Knight on Netflix, suddenly the TV changes inputs to the AppleTV and Katherines Ipad is requesting to perform remote control, and a PIN is displayed to be typed into the iPad.

Generally, I like to think I have a tight reign on my computer devices, but Apple has snuck this one up on me.

Apparently by default, via Bluetooth, my neighbors can connect to my AppleTV.   I’m guessing that with my old TV this would occur, and I just wouldn’t notice the AppleTV turn on, but the new TV is smart enough to switch to the new input.    So essentially Apple and Samsung have conspired to have my neighbor denial of service my movie watching.

First steps

  1.  Make sure the apple TV is on my wifi.   Pretty sure the neighbor hasn’t guessed my 100+ character pre-shared key.
  2. Disable Bluetooth.  Of course my generation of AppleTV cant do that.
  3. change the name of the AppleTV.  If everyone in the neighborhood is named the default “AppleTV”, no wonder people are accidentally clicking on the wrong device.   On my AppleTV, this was under Settings -> General -> About.  On newer models it is found under Settings -> Airplay.
  4. Under Settings -> Airplay -> Airplay, set Allow Access to “Anyone on the same network”.  The default is “everyone”.  I guess “it just works” trumps security.   Unfortunately I cant find good documentation if bluetooth users are considered on the same network.
    Set “Also Allow Nearby to Airplay” to off.  Again, having trouble finding description of this setting.  But it seems safe.
    Enable requiring a password for airplay.

    I then turned off wifi on my phone, and verified that no airplay devices were visible over Bluetooth

    And now that I”m looking further it seems my new Samsung is in perpetual discovery mode.   So any rando nearby can request to pair, and on the TV, I’ll be prompted to allow, deny or close.  Haven’t found a way to disable that yet.   Lovely.

Link – What happens when you reply to spam email (Veitch)

There are people who enjoy messing with scammers by replying to scam, or implementing the Jolly Roger Telephone company.

While its a few years old, I just watched a couple of James Veitch Ted Talks on what happens when you reply to spam email. Its hilarious.

This is what happens when you reply to spam email | James Veitch

Watch this video on YouTube.

Tuning up my WordPress Install

Dreamhost was sending me cryptic emails about my site using too many resources then dieing as a result.

Then Jetpack site monitoring was finding the site down, presumably due to running out of resources.

And the homepage loaded too slowly.

So a technical problem was at hand.

There aren’t a lot of resources out there for troubleshooting this sort of issue. GoDaddy has a long abandoned plugin that would tell you which WordPress plugins were using the most RAM. It no longer worked. The current state of site troubleshooting is to disable your plug-ins one at a time, and use another plugin to monitor site RAM usage. I found it better to start with a list of plugins known to cause excessive resource usage, and then run a speedtest at gtmetrix.com.

So I said goodbye to some plugins. The one I’ll miss the most is one that posted related posts on if you viewed a post from the single post page. Plugins like that are designed to keep eyeballs on that page. I also disabled the Better Tag cloud plugin. I liked it there in the sidebar. Tags are better than categories in my opinion. But Tag Clouds are really a think of the past. So is blogging for that matter. Yet here I am.

Jetpack is frequently a target for people trying to save resources. After reviewing the features I used, I decided to disable it.

The main thing slowing down my page, was the embedded Youtube videos. I installed WP Youtube Lyte, a plugin that now displays a screenshot of the video rather than embedding the actual video. When you click on the screen, then the video loads. If you’re on mobile, you’ll need to click twice. If you’re in a RSS reader, you’ll need to click the view on Youtube link.

Lastly, I made some changes to caching at Cloudflare following the cloudflare site settings listed in an article on W3 Total Cache and Cloudflare. I did not install W3 Total Cache. I’ll have to keep an eye on it to see if I’ve successfully enabled caching without delaying when people see my content.

When I started the front page of InfosecBlog.org was loading in 3 to 4 seconds according to gtmetrix. Its now loading in 0.6 to 1 second.

SMBv1 isn’t safe

Long before WannaCry used a recently patched Microsoft vulnerability to exploit machines, the recommendation was to disable SMBv1.

Disabling old protocols isn’t sexy.   You’re breaking things, and not introducing new features.  You’re fixing theoretical future attacks.   Perhaps the willingness to take on this challenge is a good measure of the maturity level of a security program.  Are you sitting around waiting for an attack so you have the justification of making a change.  Are you sitting around waiting for a vendor to do it for you.  (“I didn’t want to disable SSL3, your default browser did that.  Guess you need to update the server application.”)  Disabling it before an attack or before a vendor disables it for you is a better idea.  You can proceed at your own pace. You can do testing.

This doesn’t mean it’s an easy road.   One of my security product vendors sent out an alert today warning customers that disabling SMBv1 will lead to an unspecified loss of functionality.   This is the other problem.   Security vendors are all too lax about security.

Leaving old protocols enabled exposes you to vulnerabilities.  Frequently even when newer versions of protocols are available, downgrade attacks force you to use the vulnerable protocol.  Stay up to date on best practices.  Be proactive about your company security rather than just being a sit filler waiting for the next emergency.