Posts by Amos1 203 publicly visible posts • joined 9 Feb 2014
Wow, snarky and pointing the finger away from themselves all in one sentence?
"The company added: "Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability.""
Shouldn't that line read:
The company added: "Companies who have followed fundamental internet security guidelines and best practices will not have clients affected by this vulnerability."
Let's not forget that FirstEnergy had a direct, unfirewalled T-1 connection to their internal network with a vendor who got a Blaster infection. Blaster spread across the T-1 to the FirstEnergy internal network and clobbered a bunch of systems including monitoring systems.
At the time I worked in the city next door to Akron, OH, where FirstEnergy's headquarters were located. When our data center cut over to UPS and the entire company headquarters went dark, we hurriedly patched what we could for Blaster. Yes, we had our own Blaster infection going on because our non-technical CIO banned most patching because it "interfered with getting work done."
Why "what we could"? Because our non-technical CIO thought a 15-minute UPS capacity was good enough for anyone and we had no generator despite being multi-national corporation hosting SAP for worldwide operations. Four months later we had a generator.
He would not let us buy LCD monitors or KVMs because they were too expensive. So we had a bunch of old CRT monitors on all of the servers. Turning those monitors off bought us another five minutes of battery power.
My favorite was to enter an Alt+255 sequence on the numeric keypad while typing in an app's field or free form text field. That enters a NULL character. I used to use it in my passwords instead of a space.
I once did that on a new database app and it was unrecoverable for some reason. I mean unrecoverable as in they had to restore the database from a backup. Once their app tried to read the high ASCII it barfed all over itself. Fun times. :)
If you've ever had to do what they described (resurrecting an ancient system, NOT knocking off auditors), click the Up Arrow. If not click the Down Arrow.
If I could click my own posts I would, several times. The best one was when we had to bring up an old server in 2016 from an acquisition years before I started with the company. A Novell 3.11 server with the acquired company's financials.
We'll do the auditor poll another time.
Witnessed it personally as well. The boss was a Ph.D chemist and absolutely brilliant (seriously) and was head of the company's large Research Center. He developed numerous well-selling chemical products still in use today in the polymers industry. But he just did not understand computers at the time (early 2000's). His AA printed out all emails and put them on his desk, he hand-wrote the replies and she then sent them.
Once he was at a remote plant and needed to use remote access to pick up emails because his AA was in another state and that location's fax machine was out of service. I was given the call when it came in of "can't connect". He was a great fellow so I liked working with him. This was a dial-up connection using a Windows 95 PC with a third-party dialer.
We started from scratch with me saying "Click on the Start button" followed by several seconds of silence followed by "Where is that again? As you know I don't use this thing very much."
I eventually got him connected and he thanked me for my patience. He then asked when I could spare some time to stop by the Research Center and give him some PC lessons. He said "I suppose these things are not going to go away." We laughed and I gave him the lessons.
A few years ago he sent me a message via LinkedIn from the university where he now leads the polymers science center and said "Hey, remember back when I couldn't find the Start button? I think I've got this thing figured out." followed by a smiley face.
I had not heard from him in years and I thanked him for the best laugh I'd had in a long time. And it was.
"To be honest, having a shutdown button right next to the door is always going to ask for trouble."
Indeed. If one wants to prevent accidental or malicious activation then design the shutoff like the nuke missile silos. Two keys required and separated by enough distance that one person cannot turn both at the same time. Perhaps one at each data center door. Problem Solved.
While this may cause other problems, my job was to fix the accidental or malicious activation problem.
"For some reason it took managers always a couple of weeks to translate that to the correct eight letter word (junior devvers got it immediately)."
Management is the same the world over. As I'm nearing retirement I've been using www.timeanddate.com a lot. It has a date-to-date calculator and will automatically subtract weekends and US federal holidays, leaving "work days". I then subtract out unused vacation (holiday) and expected sick time leaving me the days I'll need to report to work.
When I finally got below one year I had this exchange with my manager, a company senior manager who had asked me for a year's notice (I was there a long time, understood a lot of the IT history and had a lot of tasks to transition):
Me: "I only have 300 days at work remaining before retirement."
He: "What? You only have 300 work days left?"
Me: "No, I have 300 days at work left. There is a difference."
He just looked very confused whilst all of the non-managers in the room immediately broke out laughing.
Old, large diversified manufacturer with disparate lines of business from acquisitions and no ERP system. Nine financial systems, fifteen phone systems, etc.
Decided early on to modify company processes to match SAP regardless of the pain to avoid, at all costs, any software customization. It took two years to do that part, before the SAP implementation could actually start. Several older people left the company because of it. The 43-year-seniority Fixed Assets manager sat through the discussions and presentations on his area and then said "That looks great but I need all of the screens to look like this" and handed out printscreens of the current AS/400 green screen. Company regrouped and assigned three people to learn the fixed assets business and realized what a horrible mess it was (we were paying personal property taxes on equipment that had been disposed of years earlier kind of thing). Old manager was thanked for his years of service and got retired. Other stories were similar.
One major customer heard of the SAP project and summoned the division president to their headquarters. Customer read him the riot act about how how their business had been seriously damaged by other suppliers switching to SAP. Customer demanded three months of materials on site prior to the SAP cutover date, to be billed on usage (consignment). Our president readily agreed. Customer was very happy that we had agreed so easily and asked what the cutover date was. Our president replied "Three weeks ago." And it was.
It's all about whether a company says they want change or whether they really do want to change. Too often it's the former. We've all seen numerous examples of that behavior too often.
We had an entire data center "go quiet" once for a semi-related reason. The EPO button (emergency power off or Big Red Button) can be wired one of two ways, normally closed or normally open.
Normally closed is similar to a light switch that is always on and flipping the switch kills the power. That's how this one was wired. Even though everything had preventive maintenance twice a year, "everything" did not include that 20 year-old push button and its wiring screws slowly loosened up.
Then one day someone came into the data center and when the door closed behind them, the door next to the Big Red Button, it got very quiet.
The electricians said someone had pushed the button and the person who walked in was worried he was going to lose his job, But the security cameras showed he was nowhere near it.
The EPO button is now wired as normally open...
The opposite of security is not insecurity. The opposite of security is overly convenient.
The issues described in this article probably apply to 99.9999% of all IT systems operators in the world.
When I do interviews of prospective vendors I always ask the question "Do you have staff dedicated 100% to operational security (not including compliance) or is security everyone's responsibility?"
The competent ones answer "Both."
The dumb ones enthusiastically respond "No. Security is everyone's responsibility!"
When something is everyone's responsibility it's no one's responsibility.
https://books.google.com/books/about/The_Cycle_of_Cosmic_Catastrophes.html?id=d1ooDwAAQBAJ
It's still one I enjoy re-reading because of the way they wove the story. They tied physical evidence on earth to other evidence of a supernova causing an extinction-level event.
"...if its an even vaguely secure area no script that you have not copied locally and validated does what you think it does goes in, is this so hard to understand."
I'm not understanding how that matters. If the script links in external references the script can be benign when tested but not necessarily in the future.
Still relevant after all these years: Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
I'm waiting for the Google Analytics site to get whacked, if just by a resource-consuming coding error.
"I got to a human who said that if I'm NOT in the equifax or experian databases, they cannot prove I exist! (I am in the OPM as I had a security clearance, or I should be, anyway -..."
You could probably ask the Chinese government for an affidavit of your existence since they allegedly owned both Equifax and OPM.
Let's not forget GUI's that let the unskilled call themselves "developers" and "admins" because they can drive a mouse. Or the proliferation of open-source code dropped into apps without nary a clue what is really going on inside those black boxes. Write once, hack many; the joy of code re-use.
Working for a bank, I can assure you that is almost impossible. Why? Because pretty much every company makes all accounts available from the Internet by default. So if you don't use it someone else just might.
You also should set transaction alerts for the smallest allowable amount, usually $1 or $5 because you should always know when one of your accounts is used.
You can request that Internet access be disabled one account at a time but I've seen many an upgrade enable them without warning.
We looked at a year's worth of outbound emails for the number of recipients. For business-related emails the max number of recipients was 7 so we set a limit of 10 maximum recipients per email. Others to church memberships, soccer leagues, baseball leagues and the like had dozens to hundreds. Those can't get sent using company email systems any more. All advertising, customer communications, etc. must go through a third-party mass-spammer and those are triple-inspected for format and content so there will be multiple, documented people to blame.
Every time an auditor asks us how we monitor for after-hours activity I ask why that is important. I point out that the Target (department store) malware turned itself on at 9 AM and off at 5 PM so its activity could hide in the noise of the daily operations. I point out that people simply walk away from their computers at the end of the day rather than shutting them down as policy says because they're lazy and their managers don't care so we'll always have after-hours activity.
I point out that monitoring for failed logins is far less valuable than monitoring for successful logins because, well, a failed login has no access to data. I mention that what the audit department needs to get HR to inform IT Security of people's vacation and out-of-the-office hours during the workday so we can monitor for use of their accounts while they're not physically present.
The auditor will stare blankly at me and say that their procedure says we have to be checking for after-hours activity. I reply that people never logoff and leave the applications running so we have a lot. They are happy that we're monitoring and the item gets its check mark. Audit Passed.
Are you certain you have to be logged in? I've never seen a CVSS 9.9 that required authentication. Usually if it's above 7 or 8 then it's unauthenticated. I think by default that all users are granted CREATE SESSION. Also remember that Oracle has a long history of down-rating their vulnerabilities but man, there isn't much difference from the max of 10.0 and 9.9
I wonder if a web app could be used to exploit this unauthenticated. Web user hits login page, service account hits database, kind of thing.
OT, does anybody know why the maximum rating is 10.0 when it's impossible to have a 10.1? Seems silly.
Northgate Computer systems had the best keyboard I ever used. It was my first PC, a 386 with 1 MB of RAM and two, count them, TWO 65 MB RLL hard drives. It only cost me $3,495. I later upgraded it to 4 MB of RAM by replacing around thirty-two discrete integrated circuits so I could run DesqVIEW. I used that keyboard for years.
Emergency Power Off, Normally Closed, and Normally Open.
At the company where I worked (in the last two years) the data center once went Very Quiet (tm) and it took a while to figure out. The EPO button was properly behind a plastic guard and no one was within five feet of it when things went Very Quiet. It developed that the EPO button was a normally-closed button (think of a light switch where the light is always on). A break in the circuit would cause the EPO to engage.
Yeah, in decades of preventative maintenance no one had ever removed the Big Red Button from the wall to check to assure its terminals were still tight. Years of people walking past and slight vibrations had loosened the terminals so that the next vibration momentarily broke the circuit and down everything went.
The electricians said they had seen the Big Red Button wired both as NC or NO and it was our choice. We had it rewired as NO so you had to push the button to engage the emergency power off function.
"Look at HTTPS compared to SSH. With SSH, no signed certificate is required. The first time you log onto a server you get a signature in your "authorized" store and if it subsequently changes, you know something odd (not necessarily nefarious) is going on and you can inquire."
When people visit hundreds of websites every day that method is completely unworkable, especially since much content comes from third-party sites and you never see their URLs in the browser. If the usual method to communicate a validity string, such as a SHA file hash, is to put it on the web page where a hacker could modify the binary and the hash value to match, it's of no value security-wise. It just assures you downloaded the backdoored malware intact. If you even bother to check the hash or SSH fingerprint.
And with the push to reduce the certificate validity period from two ears to one year or worse it's completely untenable. It only works for SSH because the certs never change, a risk in itself.
The article says the 1st but I know of more than a few companies that are figuring the date to be Feb, 11, 2020. That's the date of the first Patch Tuesday where there are no more free patches for Windows 7 or Server 2008.
If you want to strike the Fear of <insert deity> into someone, go to www.timeanddate.com, click on Date-to-Date Calculator, click on the "Count only workdays" link and then fill in the fields. (The link calculates US holidays; I do not know if it works in other countries).
As of today there are 397 workdays left to convert every one of your Windows 7 and Sever 2008 systems AND their applications to a newer version, a few more if you don't get all of the holidays. Presuming of course that your company cares about such things.
580 days if you work in a sweatshop.
"If somebody has physical access to the machine, they probably don't need the exploit anyway."
The reality of malware is that there is almost nothing nowadays that requires true "physical access" and in the age of virtual machines it's even more true. As MS themselves once noted, if the bad guy can get you to run their program on your computer it's not your computer anymore.
"For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody ...",
Not correct, not only because of malware (including JavaScript coming from hacked legit websites) but because one of the beauties of computers is that once someone has figured out how to do something evil, it's almost always trivial for the rest of the world to then do it.
you'll have what companies are also seeing. Start with .stream and .pw
Some large companies are simply blocking all 1,000+ and allowing exceptions as needed. The new stuff is as big a cesspool as .info and .biz turned out to be. If you're a real company, don't even think about using .pro because the real "pros" have beat you to it.
I had a serious fight to get HSTS and DNSSSEC implemented because Marketing was whining too loudly about the "What if..." nonsense. I won but I got scarred. Now we don't even bother to let them know unless they ask and being Marketing types they are totally inept technically so they never ask.
All a CAA record does is prevent non-listed Certificate Authorities from issuing a certificate for that domain. And as long as ID-10-T's want to save a few dollars and use Let's Encrypt, a CAA record authorizing Lets Encrypt effectively authorizes the world.
So in the State of Nevada where the government wrote PCI into law, meaning you are obligated to comply with all provisions of the PCI DSS, it's OK to keep all of that data. Presuming you are subject to GDPR, of course.
Perhaps this could inspire multinationals to incorporate in Nevada instead of Delaware and move all of the headquarters to Las Vegas. Their travel expenses to junkets also would be reduced. Win-win!
"John Doe Jr" is the same as "John Doe Jr." in real life. "John J Doe is the same on any legal document as "John J. Doe".
Treating punctuation differently in email addresses is no different than typo-squatting a domain name except it's less obvious.
Gmail has been this way for years and other sites should follow their example on all new email addresses. We know what evil lurks on the Internet so let's close off the easy methods rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
