Archive for the ‘IT Advice’ Category

One More 2017 Prediction

Friday, February 3rd, 2017

Hacktivism against Donald Trump. This will happen bigly. You’re gonna see some of the best, the absolute best hacktivism directed against Donald Trump. Real gold standard stuff here. They will hack the cyber like you wouldn’t believe. They’ll hack so much, they’ll get tired of hacking, but then they’ll hack some more. They’ll make hacking great again.

In all seriousness, the man is a lightning rod and will be attacked. He doesn’t have to be attacked directly, either. I just read of how six radio stations were hacked to broadcast an anti-Trump rap song. The hacktivists in this case did not go against a Trump-owned or -affiliated web property, but exploited a weakness somewhere to broadcast a general anti-Trump message.

Probably the biggest target will be Twitter accounts. Trump has made his Twitter account his official mouthpiece, so taking control of that would be the top achievement for any anti-Trump hacker. But what else could be targeted?

Did your firm make a deal with Trump? You are a target. Did your firm’s owner support Trump in public – or perhaps didn’t condemn him swiftly enough for the taste of an anti-Trump person? You are in the crosshairs of hactivists. Did your firm or organization make a donation to his campaign fund? There is a big bullseye on your website.

Think along those lines and the more Trump does controversial things, the more cyberattacks will be launched specifically to protest those controversies.

IT Counterintelligence

Monday, August 22nd, 2016

I really don’t like blaming all IT-related intrusions on “hackers”. The elaborate ones aren’t just some kid that’s figured out how to do a ransomware scam. They’re run by criminals and spies, or a mix of both. Being attacked by just hackers has a bit of comfort implied in that wording – hackers only use computers, right? They’re people with poor social skills that never break out of that stereotypical mold, right? But to say that criminals or spies were involved means that the attackers have a wide range of tools at hand to get what they want. They’ll engage in blackmail, murder, deception, all that criminal and spy stuff along with the IT-related intrusions as part of a comprehensive program to gather information.

These guys have zero intention of compromising the target beyond what is needed to gather information. They prefer that there be no ransomware or worm taking things down. They want five nines of uptime as much as the CEO does. They penetrate deep into a network and they require more than just an IPS or DLP in place to keep them from taking secrets out. They need some really paranoid thinking on the part of the target’s employees to minimize what they’re able to gather.

To that end, I’m going to recommend two videos from YouTube about counterintelligence.

Take a look at https://www.youtube.com/watch?v=xbf2I5ObTrk It’s a little harsh, I agree, but it’s also for combat. All the same, it sets up a mindset I’d like users in general to have in regards to security. Don’t write down passwords. Don’t send information over unencrypted, unsecured channels. Don’t think for a minute that LinkedIn and Facebook aren’t unencrypted, unsecured channels… stuff like that…

Another video at https://www.youtube.com/watch?v=27qMsUxmHyo about tracking down and gathering information in a counterintelligence operation. It’s not just a matter of stopping the spies: it’s a matter of making sure that they don’t continue to penetrate one’s organization. If a firewall stops an attacker from getting in one way, it’s not necessarily a success. It just means an attacker will try to find another way in.

Real security is never thinking that the bad guys have given up and walked away. Some will, sure. But the rest? They’re always there, watching and probing. Real security means always watching and maintaining OPSEC‍ .

Hell Hath No Fury Like an Admin Scorned

Friday, July 29th, 2016

Take a good look at this guy, because he may be potentially more devastating you your company than a major natural disaster. He is an admin, and he’s not happy about going to work every day.

maurice-moss

A network admin from Citibank was recently sentenced to 21 months in prison and $77,000 in fines for trashing his company’s core routers, taking down 90% of their network. Why did he do it? His manager got after him for poor performance.

I don’t know how the manager delivered his news, but it was enough to cause that admin to think he was about to be fired and that he wanted to take the whole company down to hell with him. Thing is, he could have done much worse.

What if he had decided to sell information about the network? What if he had started to exfiltrate data? What if he had set up a cron job to trash even more network devices after his two-week notice was over? And there could be worse scenarios than those… what can companies do about such threats?

It’s not like watching the admin will keep the admin from going berserk. This guy didn’t care about being watched. He admitted to it and frankly stated that he was getting them before they got him. His manager only reprimanded him – who knew the guy was going to do all that just for a reprimand? But, then, would the company have endured less damage if it had wrongfully terminated the admin, cut him a check for a settlement, and then walked him on out? So what about the other admins still there? Once they find out how things work, they could frown their way into a massive bonus and we’re heading towards one of those extremes I mentioned.

So what does a manager do with a poorly-performing employee that’s about to get bad news? Or an amazingly good employee that nobody (including him) is about 10 minutes away from an experience that will make him flip out? Maybe arranging a lateral transfer for the first guy while everyone changes admin passwords during the meeting… but the second guy… there was no warning. He just snapped.

Turns out, good managers don’t need warnings. Stephen Covey wrote about the emotional bank account, and IT talent needs a lot of deposits because the demands of the job result in a lot of withdraws. A good manager is alongside her direct reports, and they know she’s fighting battles for them. That means a great deal to an employee. I know it’s meant a great deal to me. My manager doesn’t have to be my buddy, but if my manager stands up for me, I remember that.

Higher up the ladder, there needs to be a realization in the company that it needs to pay the talent what it is worth. I’ve known people that earned their CCIE, expected a significant bump in pay, and got told that company policy does not allow a pay increase of greater than 3% in a year. They leave the company, get paid 20% more to work somewhere else for a year or two, and then their former employer hires them back for 20% more than that. By that time, though, they’re now used to following money and not growing roots to get benefits over time. By contrast, maybe a 20% bump – or even a 15% bump, maybe – could have kept the employee there.

What are the savings? Not just the pay. The firm doesn’t have to go through the costs of training someone to do the job of the person who’s left. The firm retains the talent, the talent is there longer and now has a reason to try to hold on to those benefits, and there’s a sense of loyalty that has a chance to develop.

If an employee has a sense of loyalty, feels like compensation is commensurate with skills, and has a manager that fights real battles, that employee is better able to ride out the storms of the job and not snap without warning. If that manager has to encourage an employee to do better, maybe then he’ll try harder instead of trashing all the routers.

There may be no way to completely prevent these damaging outbursts from happening, but the best solutions for people’s problems aren’t technological. They’re other people, doing what’s right.

RSAC 2016 Reading List

Friday, March 4th, 2016

Hello one and all, and I hope you’re in a security frame of mind. Here’s a list of things to read up on, as recommended by presenters at RSA Conference 2016:

Getk9.org: free proxy server for home use from Blue Coat. I’m using it now. Although I needed to open up YouTube for personal use, I like knowing that it’s leveraging that vendor’s ability to block malicious content. Proxies aren’t just for kids anymore. Every layer of personal security helps.

The Security Awareness Company: Lots of free stuff here, including humorous parody videos. Worth a visit or three, and there may be something useful for your enterprise here.

Google Hacking for Penetration Testers: A very juicy PDF with information on how to Google things up like you never dreamed possible. If you like it, consider buying the book.

How to Fool a GPS: suggested in the session that dealt with hacking the XBEE traffic in a commercial drone.

Janell Burley Hofmann’s Contract: This is for the kids and their parents. Parents would do well to sign a slightly modified version of the contract.

SFS.Gov: Instead of having ROTC pay for college, how about getting the NSF to pay, with the students working in the US Government cyber-security services after graduation? An excellent way to start a career in security.

CERT Guide to Insider Threats: PDF of contents, index, and sample chapter. If you want a complete picture of security, you need to look at the threat within, and the authors of this book really know their stuff.

ICS CERT Summary of Ukraine Power Grid Hack: Nice summary, should get you thinking, hopefully researching on this matter further. The means by which the hack was accomplished was not all that difficult to mitigate.

ASD Top 4 Mitigation Strategies: Your firm would do well to adopt these as standards.

I hope this helps you all to have some very paranoid fun.

You’re So Vain

Wednesday, October 30th, 2013

So you think the NSA has time to bug the likes of you? Please. You’re not that important, unless you’re doing things to make yourself stand out, like trying to use encryption and anonymizers for all your Internet traffic. Just think about it…

There are hundreds of millions of Internet users in the USA alone. If you’re in the USA, you’re one of them. That means your traffic is aggregated with all other traffic and dumped somewhere. There is no one person that will single out your traffic to hold up and mock: if you aren’t doing anything exceptional, you’re just part of the vast flow of sludge that passes through the Internet pipes. Even if what you’re doing isn’t particularly sludgeworthy, your traffic is in the mix, so you might as well know what’s flowing alongside your ones and zeroes.

We can start with the 166 million Facebook pages for USA users. Imagine wading through 166 million Facebook pages every day. The number of game spam updates alone would drive a mortal into madness. Then there are the people that post things Facebook has to take down, due to the content being explicitly sexual, overly violent, or slightly critical of the Turkish government’s treatment of its Kurdish population. All that goes to the NSA before it gets taken down by a Facebook drone in Morocco or Vietnam. Those guys usually lose their minds after only a few weeks of doing content review grunt work: there’s no way the NSA wants to expose its staff to that kind of attrition. Let a computer filter it and then file away the report where nobody sees it.

It’s not like the NSA is actually doing anything with that data. How many times do Americans get to see the making of a terrorist/murderer on his Facebook page after the fact? You’d think the proactive chaps at the NSA would swoop in on something as obvious as some of the stuff that these guys put out. The reason why they don’t is that they’re not looking at individual numbers. They’re looking at patterns formed by masses of users.

If you’re doing something unusual like using Arabic in Greenland, that’s going to get on the NSA’s list of things to monitor today. If you’re merely indulging in your favorite sins on the Internet, nobody in a spook lab is giving a flying flip about you. The Facebook traffic is just the start: think of how many times “Friday” or “Oppa Gangnam Style” wound up on an NSA traffic haul. Yeah. Just carry on, citizens, because there’s so much stuff going on that there’s no way you’ll get noticed unless you’re as unique as someone who gets noticed.

Backup Or Die

Sunday, August 18th, 2013

So your boss comes in and says, “Hey, we need some backup software. Check out some vendors and let me know who to go with.” What do you do?

Most people panic and go with whatever they saw was used at the last place they worked at. It’s like they never heard of Google. Most people, it seems, have never heard of Google. Remember that: in the land of people that never search, the one-search man is king.

Those that don’t panic tend to do a perfunctory search and then find a vendor that looks pretty good. Then, like the guys that panicked, they order just one kind of software without checking to see if it’s compatible with their enterprise needs.

Bunch of morons…

If you have mail servers and databases, make sure that the software is able to back up those platforms without requiring that they shut down. What about VMs? Do you need a specialized agent for those? Centralized tracking? Alerts for jobs that didn’t complete? Image storage? Archiving? Did you even think to ask those questions? If not, start asking them and get answers so that your backups will actually accomplish something and not just be money spent on nothing.

And if the backup system is already in place when you show up on day one, make sure that they’re set up properly. What if they guy that was there before you set everything up with trial software that expired the day he walked out the door? What if there’s an error that happens every night because the main database backup isn’t executing properly and the guy that set it up two years ago told the night operator just to ignore it and click through the error? Yeah, you want to check things out, because if you don’t do your due diligence up front, it’ll catch you in the behind.

Segment Your Network

Friday, July 19th, 2013

Properly functioning, networked computers are the most polite things you’ll ever work with.

When one of them makes an announcement, they immediately all pay attention, drop whatever conversation they may have been having, and focus completely on what the speaker is saying. They spend enormous effort in listening to and carefully considering every announcement made in their presence.

Therefore, segment your network so it’s not bogged down by broadcast traffic.

Fibre Channel and iSCSI

Wednesday, July 17th, 2013

In SAN environments, admins can choose between Fibre Channel (FC), FC over Ethernet (FCoE), and iSCSI to get their data from users and servers to the storage system. So what are the differences?

FC is like the guys from Top Gear going down a perfect ribbon of road in three Italian supercars. They can floor it, swing around the corners crossing both lanes, and arrive at their destination in good order while telling us we all need a Ferrari convertible. iSCSI is a dozen Mini Coopers pulling off the Italian Job. They’ll get to their destination, just don’t ask how they got there.

iSCSI is also a good deal cheaper, unless you already have a massive fibre network that you want to justify keeping around. Just be careful to not overload your iSCSI system with nodes: gridlock with Mini Coopers is still gridlock… and the lads in the Ferraris will just laugh at you.

The Importance of Physical Security

Tuesday, July 16th, 2013

No amount of software hardening can overcome lax physical security with your network devices.

Let’s say a bad person, we’ll call him August Derleth, gets physical access to one of your Cisco switches that’s been tucked away in a broom closet. He gets it into ROMMON mode and sets it so it will reboot without challenging him for a password. Now he reboots the switch and then does a copy startup-config running-config command. He now has the original config loaded and full access to it. He can now create an account for himself, copy all the details on that config, and then choose a port on the access switch to open up for his own purposes, be it a rogue switch, server, or router. He could disable DHCP snooping and DAI so he could use a man-in-the-middle attack to capture all the voice traffic on that switch.

None of the software security configurations you have made will give you aid in the event of a physical access compromise.

So put a lock on that door. Now our man August cannot get to that switch because there is a lock on the door… so he can only try to attack it from the outside, which means BPDU Guard and Root Guard and DHCP snooping and DAI keep him frustrated in that respect.

OK, so Mr. Derleth gets a crowbar and breaks the lock and gets in… we are back at the original scenario. We have to face the possibility that an unauthorized person gains physical access to a system. There need to be alarms and cameras on that entrance so that when security is breached, we have a record of it. There needs to be a double entrance with a person on duty in the middle space at all times – a night backup operator, for example. Key cards, combination locks, etc. could all be considered.

Now for the switches themselves: There need to be keepalive monitors on EVERY sensitive device so that reboots and power outages are monitored and documented. Once the physical security has been breached, the main concern is not frustrating the further attacks of the hacker with configurations on the compromised device, but in gathering forensic data so he can be properly apprehended and prosecuted. The compromised device is a lost cause. Mr. Derleth may not care for alarms going off if he’s planning a smash and grab operation: his goal may be to gain access to an information store, copy it or physically transport it, and then get out before the police arrive. The alarms, however, provide a trail of evidence for later use.

So what if Mr. Derleth wants to implant systems to observe traffic and intercept communications from removals eastbourne? In that event, the alarms allow us to see where the breach began and logging servers will note when devices’ configs have been altered – or when devices have been logged into. Now we can hopefully check over those other devices and roll their configs back to an earlier saved config kept in a location inaccessible from the network.

Get your physical security house in order: locks, monitoring, and logging are all part of a complete physical security strategy.

What’s the Best Way to Learn? Teach.

Saturday, July 13th, 2013

If you’re pursuing any IT certification worth having, you’re going to have to learn lots of stuff. The higher the level of certification, the more information you’re going to have to have crammed into your tiny little human being brain. The best way to get that information into your head is to teach it.

Even if all you’re doing is to keep a diary of your learning progress, the act of composing your thoughts to communicate them to another person will force you to both understand and remember the particulars of what you communicate. Copying and pasting what another person wrote won’t cut it: you need to rephrase it in your own words.

Yes, this takes on the risk of being wrong. That goes with being a human, so quit whining and hurry up and make your mistakes so you can get on with learning from them. If you come out and say something wrong, ask someone to correct you, check the suggested correction, and go forward from there.

But above all, if you actually put down something that’s accurate – and if you do all you can in order to *be* accurate – then you’ll learn that topic in the best way possible.