Tech Tips from the Castle

LinkedIn Needs to Add a Warning to its Connection Emails

2011-12-18T17:35:00.005-05:00

Like most of us, I receive invitations from random folks on the Internet asking me to connect with them via LinkedIn. In some cases they are from accounts with no connections and no reasonable profile. They are clearly looking for information for nefarious purposes. Yet when the email comes in, this is all that LinkedIn says:

"WHY MIGHT CONNECTING WITH SHAMSODIN KARIMI LASAKI BE A GOOD IDEA?
shamsodin karimi lasaki's connections could be useful to you
After accepting shamsodin karimi lasaki's invitation, check shamsodin karimi lasaki's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future."

What is LinkedIn thinking? Why encourage me to connect with a potential hacker?
Social networks lose their effectiveness when people lose trust in the overall experience and it is LinkedIn's best interest overall the long run to discourage people from connecting with people they do not have a relationship with.

Let's encourage LinkedIn to add a warning to those emails as well. Here is one potential idea.

"WHY MIGHT CONNECTING WITH SHAMSODIN KARIMI LASAKI BE A BAD IDEA?
If you have no freaking idea who LASAKI is, he might be trying to gather personal information from you as part of a plan to launch a spear-phishing attack against you or one of your connections. Building these connections with people you do not know can create risks and privacy concerns in the future."

Tracking AD Groups Changes with Varonis

2011-11-19T11:37:00.004-05:00

Varonis DatAdvantage tracks changes in Active Directory group membership by comparing the results of the nightly AD walks. If we want to see the changes that have been made to a user we can use the "1a - User Access Log report." The key filter to remember is that we want to show data from the "History of Differences." This shows the changes that have been picked up by the nightly jobs. Then we need to select the date range that we want to look at.

Then select the "Operation Type" filter. There are two operation types that we can select depending on what we are trying to track:

Membership Removed

Membership Added

Add the filter to look only at "Groups" for the Object Type.
The final piece is that the user affected by the change is identified in the "Change Description" field. Use the "Like" operator and remember to enter in the domain name before the start of the user name.

Run the report and you have the answer you were looking for.

Note: Starting in Version 5.6 of Varonis DatAdvantage we also have the "3e - Historical Group Membership" which will display the groups a user belonged to on a specific date. Great report for answering those tricky audit questions.

UCLA Health System Settles Potential HIPAA Privacy and Security Violations

2011-07-08T07:19:00.003-04:00

The Department of Health and Humans Services reached it third settlement this year with a healthcare organization for violations of the HIPAA regulations when UCLA agreed to pay $865,000 to resolve charges that employees were inappropriately snooping into the records of celebrity patients.

In the previous settlements of 2011, Massachusetts General agreed to pay a fine of $1,000,o00 and Cignet Health of Prince George's County agreed to a fine of $4,300,000. Clearly HHS is taking these violations much more seriously than had been done in the first 14 years of HIPAA's existence.

Organizations that deal with PHI need to have clearly defined policies and procedures to protect patient data, training to make sure that employees are aware of the rules, and most importantly methods that can be used to monitor that the policies are being followed. If you are the CISO of a healthcare organization you should be asking yourself questions such as:

Are all of the laptops that access our systems encrypted?

How do I validate that they are encrypted?

Are we monitoring access to patient information?

How do we detect inappropriate access to PHI?

The stakes are being raised and the privacy groups within Healthcare organizations have to respond accordingly.

Zero Day by Mark Russinovich

2011-07-04T13:59:00.005-04:00

Of course you can tell by reading this blog that I am not a storyteller; and certainly not a novelist. Therefore I preface this review with that caveat that I could not have written Zero Day as well as Mark Russinovich. Zero Day is a thriller surrounding the release of a set of extremely destructive computer viruses. We track the progress of Jeff Aiken, a private security consultant, and Darryl Haugen, a PhD. Computer scientist from MIT working for the Department of Homeland Security, as they try to identify the viruses, determine a solution, and track down the perpetrators. The main flaws of the novel is that the characters are on dimensional and the book is hitting us over the head with a hammer to indicate the potential devastation that society could face as result of a cadre of determined evildoers exploiting the weaknesses of the Internet and computer systems.

As a technical expert, Mark Russinovich is world famous. He is known to us in the security world as one of the cofounders of Sysinternals; which is one of the key solutions available to Windows administrators everywhere. With this technical background, Zero Day describes how a set of evil actors could technically wreck havoc on the computer systems of America and Europe.
The story is engaging and suspenseful and as someone in the security field, I was interested to see where the story led us. Without the importance of the subject matter, the risks to our cyber infrastructure, the book would not be that interesting. The storytelling and actors is too shallow. We have “obligatory” love scenes and one of the “usual suspects,” a Russian cybercriminal, involved. There is limited character development in the story and the bureaucrat that Daryl reports to is as helpful as our stereotypes of bureaucrats would lead us to believe. That being said, I believe like Mark does that the risks we face are severe and the more coverage that they get the better. With that as a backdrop I would recommend this book.

In my opinion, to learn more about the security implications and the deep impact of the Internet on our society, I would first read Daniel Suarez’s two novel set, Daemon and Freedom (TM). These provide a much more nuanced look at the good and bad associated with the Internet and our dependence on it.

Kingpin

2011-05-31T09:16:00.005-04:00

Kevin Poulsen's Kingpin is a fascinating look at the world of cybercrime involving credit card theft and fraud. The story is told from two angles. The first is from the perspective of Max Butler, one of the leading cyber criminals of the last ten years, and the second is from the perspective of law enforcement. We follow the path of J. Kevin Mularski, an FBI agent, who leads the effort to track down and ultimately capture Max Butler.

As “Iceman,” Butler ran Carders Market, an online marketplace for illegal credit card data. The book covers many of the high-level techniques that Butler uses to break into systems, invade Point of Sale Systems, and it includes a solid discussion of how SQL injection is used to steal data. In fascinating detail Poulsen covers how Max uses hacking techniques to take over many of the illegal sites that hackers use to buy and sell credit card information, shut down his competitors, and move all of the traffic over to his Carders Market site.

The dual focus on the criminals and the law enforcement efforts to capture them makes the story a page turner, and it reads like a crime novel. Kingpin also covers some of the law enforcement efforts surrounding, Shadowcrew, the online criminal marketplace that was shut down due to the information received from the combination informant / cybercriminal Albert Gonzalez, who would later be arrested and convicted for the TJX and Heartland Payment Systems breaches. The FBI brilliantly set up a VPN for the Shadowcrew service so that they could tap all of the online conversations and identify the evildoers.

Kevin Poulsen certainly knows the hacker underground, as he was convicted in June of 1994 of several computer crimes and was sentenced to over 4 years in prison. Jonathan Littman covered his Kevin’s exploits in The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen. Poulsen is now a Senior Editor at Wired.com

Poulsen’s first-hand knowledge leads to one of the most interesting facets of the book. At many times Poulsen’s story of Max Butler describes the psychology of Max. He parallels many who are involved in the world of hacking. They are conflicted individuals, with a childlike love of learning and exploration, without the moral tools to stop them from crossing the line into criminal behavior.

The book has the two key elements that I look for: it is entertaining and informative. It is a must-read for those who have an interest in information security and care about the digital economy.

The CREATOR OWNER Problem

2011-02-20T18:55:00.006-05:00

This post describes the problem caused by the CREATOR OWNER permissions that are set by default in Windows Server 2003 on folders. Take the example here of the Human Resources folder and all of the subdirectories underneath it. This is sensitive data that we want to manage the permissions extremely carefully. The challenge with the CREATOR OWNER permission is that when a user creates a subfolder within a folder that contains this permission, the SID of that User is set to Full permissions on the new folder, even though we had given them only Modify permissions within the "Terminations" folder.

If we look at the security of the "DoneBYSSmith-CO-ON" folder, we can see that Windows Server 2003 has added an Access Control Entry for Sally Smith and given that user Full control.

This is not what we wanted, but Windows does it because the CREATOR OWNER permission was set at the parent folder as shown here.

What we need to do is remove the CREATOR OWNER at the top level folder where inheritance is turned off and then push it down to all of the child objects. The permissions should then look like this at the parent folder. When any user in the grp.Share.HumanResources.Modify group creates a folder, then they will not inherit full permissions, which is normally what we want. They will instead retain just the permissions granted by the group they belong to.

Beware the CREATOR OWNER SID.

Stop Monitoring a Directory in Varonis

2010-12-29T14:10:00.004-05:00

There are several types of directories that you may not want to monitor at all in Varonis DatAdvantage. These might be temporary folders that are used by products such as disk archiving solutions that have a cache directory on each Drive that is archived. This will stop all event collection and permissions monitoring for that folder and any subfolders.
Go to each drive where you believe this is an issue, click on the folder to be excluding to select it. Then right click on the folder and select the “Stop Monitoring” option.

When you select the directory a warning dialog box appears asking you to confirm your choice.

If you click “Yes” then the system stops monitoring the folder immediately.

Wireless Security and Monitoring in Government Agencies

2010-12-07T12:06:00.003-05:00

Ericka Chickowski has posted on article on DarkReading discussing the shortfalls of wireless security across government agencies. I offered several of my thoughts to Ericka on the topic which were cited, especially mentioned the need for Network Access Control solutions. Here is the article. Here is a link to the GAO report.

Who is minding your Data Stores?

2010-11-19T08:02:00.004-05:00

I recently received the “Benchmark Study on Patient Privacy and Data Security” by the Ponemon Institute, that was released on November 10, 2010. One thing that always screams out to me from these reports is how few of the data breaches are detected by the organization that was breached. According to this study less than half (47%) were detected by a hospital employee and in a significant number of cases (41%) it was the patient themselves that noticed the breach.

When you look at statistics from Gartner and other industry analysts, much of the security spending dollars are going to preventative controls and a much smaller percentage are going to monitoring solutions and detective controls. Do we as a security professionals have that backwards?

In spite of significant investments in firewalls and anti-virus tools - generally the two largest categories overall - organizations continue to get breached and data continues to leave the castle. Are you focused enough on detecting when unusual activities are taking place in your company and spotting potential breaches?

Home Directory Data Usage

2010-10-13T12:46:00.002-04:00

One of the neat things that you can do with Varonis DatAdvantage is monitor how much disk space your users' home directories are taking up. If you are like most organizations where all of the home directories are stored in a common directory on the file server, this is a snap.

Using the 4f report - "File System Objects List" create a report with two filters.

The first is: "Access Path" and should be set to the top level folder that contains the users' folders; such as "D:\home."
The second is: "Directory Depth" and should be set to 3 so you capture each user's folder on a separate line in the report; such as "D:\home\auser."

Then click on the "Extended Properties" tab and select the "File count" and "Total size in MB" options. Sort, the report on "Total size in MB" and away you go.

This will generate a list of all of the home directories with their associated disk usage, allowing you to identify users who are taking up an inordinate amount of disk space. Save this report to a spreadsheet and run this on a periodic basis and you will be able to track usage trends.

Slap on the wrist for Russian Hacker in RBS Case

2010-09-14T08:18:00.003-04:00

Unfortunately, the Russian authorities only handed out a suspended sentence for Viktor Pleshchuk, one of the hackers who broke into the systems at RBS WorldPay Inc. They stole approximately $9 million from 2,100 accounts and Viktor essentially got off scot free.

Several inherent problems are revealed in this decision. First, the United States has no extradition treaty with Russia for these types of crimes. Since a large number of attacks originate from Russia, this is something that the State Department should be working as one of the top priorities in Obama's efforts to improve cybersecurity. If we cannot punish the bad guys, all of the reports and committees are of little use. Second, according to the story on Bloomberg, his lawyer's statement that “This is not a regular crime but a cybercrime and Pleshchuk didn’t really have a full understanding of the damage he was causing,” is comical.

These type of criminals hurt thousands of people on a daily basis and need to be severely punished.

Where are AD Groups Used?

2010-07-25T18:34:00.003-04:00

Utilizing Varonis DatAdvantage, one can determine how an Active Directory group is being used on a file server. To find where a security group is applied to a folder directly, run the 4a – Effective Permissions for User or Group report. You need to select each File Server that you want Varonis to investigate and since we are only interested where the group is in the “ACL” there are two options that need to be selected and set to True:

"Show only direct permissions"
"Distinguished unique"

This allows you to see every folder where the security group is directly applied.

Dealing with the CounterACT "Port Scan - SNMP" message

2010-07-06T22:01:00.013-04:00

One of the challenges in managing the ForeScout CounterACT appliance is to deal with and clean up the false positives that arise from anomalous network behavior that is not malicious. For example, today, we received a set of errors from one particular server, 192.168.111.18, that indicated that it was performing SNMP port scans. ForeScout correctly detected that something unusual was occurring and classified it as a malicious event.

Every several hours the server was performing SNMP port scans on IP addresses that were no longer existed. What was causing these scans?

Upon further investigation, they were IP addresses for printers that had been moved and given new IP addresses. By running regedit and searching for one of the IP addresses we were able to determine that it was a printer that the server was looking for.

We went into the Control Panel, selected the printer in question, assigned the LPT1 port to the printer, deleted the old port, and then deleted the print queue. The problem was solved and another false positive was eliminated. Thanks John!

Warning - You Have Received a PDF file

2010-06-30T08:52:00.006-04:00

With recent spate of vulnerability disclosures in the Adobe Reader and Acrobat programs it is time to take a big picture look at the PDF (Portable Document Format) format. The first observation that I make is that the PDF is not a strictly a static file; because of its potential for embedded JavaScript actions, it is an executable program. Since it is an executable program it needs to be treated as such from a security perspective. We need to have virus scanners aware of the executable functions within PDF files and warn us or inoculate us against the executable code that exists in the format.

Most people assume that a PDF file is a safe, immutable way to save and transmit unstructured information. Unfortunately because of the ability to create forms and JavaScript actions the PDF file has moved far beyond that; which is why the format has become so vulnerable to hackers. One solution that would stop this problem in its tracks would be for Adobe to create two different formats (PDF and PDX for example) and remove the JavaScript capabilities from the core PDF format. Until that happens we need to be wary of PDF files and take some of the following steps:

Educate the user community that PDF files are inherently unsafe and should be treated with caution

By default, disable the functionality to run JavaScript within Adobe Reader and use it only as an exception.

Make sure that we have prevention tools in place to detect rogue PDF files.

Make sure that we have deployed detective controls to notice when unusual behavior is taking place on a user’s workstation or on the network so that we can fight off the PDF-borne attacks.

For those who are interested in the latest patches, Adobe issued updates yesterday for Adobe Reader and Acrobat that deal with the Critical security issues that have been discovered in the current release 9.3.2 (and earlier versions). Here is the security bulletin from Adobe with links to version 9.3.3 of the software products.

SQL Server Job History

2010-06-26T08:39:00.006-04:00

In running Varonis DatAdvantage there are times when you want to look at the history of the nightly jobs for a longer period then the defaults provided by SQL Server 2005. These defaults are based on 'Maximum job history log size (rows)' and 'Maximum job history rows per job.' If you are monitoring a large number of servers than the system may only keep several days worth of history for each job. Where disk space on the SQL Server is not an issue one change the the delete option to purge data based on an overall duration, which can be specified in days, weeks or months. For example, we might want to retain 10 days worht of history to assist in debugging issues. To do that perform the following steps.

First run SQL Server Management Studio.

Then navigate to:
• Root
• SQL Server Instance
• SQL Server Agent
• Right click on SQL Server Agent

From here right-click on history.
Select the option to "Automatically remove agent history" and enter the duration that you want to keep the job history.
Click on OK and you are ready to run.

Justice Prevails

2010-05-05T08:03:00.003-04:00

The recent convictions of the Sarah Palin email hacker, David Kennel, and the San Francisco system administrator, Terry Childs, are welcome events in the history of cyber crime.

These transgressions are not victimless; they affect everyone. One of the beauties of the Internet is its openness. That openness is only works if people feel safe on the Internet. When individuals take advantage of that freedom by abusing their privileges or infringing on the rights of others, it harms all of us by whittling away at that trust.

The Internet has revolutionized the way we live and that can only continue when people who violate the laws involving computer usage are punished severely.

Is Terry Childs a Cyber Extortionist?

2010-05-01T14:12:00.004-04:00

On Tuesday, April 27th, a jury of his peers, which included a network engineer, convicted Terry Childs of a felony for withholding administrative access to the City of San Francisco's networks by refusing to hand over privileged user credentials.

KTVU.com covers the story here.

His defense that his supervisors were not qualified to have the passwords is rather remarkable. He was a "privileged user" because his employer placed him in that position, not because of any rights he held. Childs' refusal to turn over the information to his superiors seems likes a pure case of extortion and a total misunderstanding of his responsibilities and I believe it is a good thing that he was convicted. Another case of the laws starting to deal with new threats that we face in the Information Technology world in the 21st century.

SMTP Errors

2010-04-03T09:07:00.008-04:00

The other day I was installing Varonis DatAdvantage for a customer and during the installation process received the following error, "The message could not be sent to the SMTP server. The transport error code was 0x800ccc15."

The first thing I wanted to check was that I had connectivity to the Exchange Server. So I used telnet to connect to port 25. That worked fine, so there was not a firewall in place blocking the connection. The Exchange server was set up to accept relays so that was not the problem.

After some investigation it turned out that McAfee VirusScan Enterprise 8.7.0 was the culprit.

Access Protection was enabled, so I reviewed the settings.

The issue was the rule to "Prevent mass mailing worms from sending mail" was blocking all traffic from the Varonis server. It was stopping all programs except those that are explicitly allowed from using SMTP to send messages.

Back to the McAfee server to add the programs in question and we are back in business.

Adobe Please Fix Your Software

2010-03-17T21:19:00.003-04:00

I was configuring a new Varonis server today and needed to download Adobe Reader so that we can access the documentation. I went to the Adobe web site and clicked on the download button. When I finish the installation, what do I find out? That they are still installing 9.3.0 by default! This is the unpatched version that has been the subject of a number of exploits. If a random user who doesn't deal with security on a daily basis installed this, they could be hosed. I ran the updates, but many people wouldn't. Adobe, please release a version that includes the patches built-in.

Businesses Victims of On-line Bank Fraud

2010-02-23T14:10:00.002-05:00

There have been a number of small business that have been getting ripped of through fraudulent wire transfers. In one example, Krebs on Security covers the details of how an IT consulting firm lost nearly $100,000 through wire transfers it did not make.

Customers need to make sure that their banks are using robust authentication, not just static passwords with additional questions to verify identity. These are too easily captured by keyboard loggers or other spoofing devices. The banks need to employ multi-factor authentication that cannot be victimized by the malware that is rampant throughout corporate America.

In addition, companies should be looking into keyboard encryption for computers that are accessing sensitive information. Please reach out if you would like to learn about how to defend you and your business.

Adobe Patches Reader and Acrobat Again

2010-02-16T17:02:00.003-05:00

Security issues continue to crop up in Adobe Reader and Acrobat. Adobe has issued patches for Reader and Acrobat to correct security issues. Users should upgrade to version 9.3.1 of the software. Click here to see the Security Bulletin.

Fatal System Error

2010-02-13T11:26:00.003-05:00

We read every day about Eastern European crime syndicates that are involved in cybercrime, cyberwarfare, and other nefarious activities on the Internet. In many ways these organizations are block boxes, with very little information reported on who they are and how they work. Joseph Menn in his new book, “Fatal System Error,” tells the stories of two individuals, Barrett Lyon and Andrew Crocker, who have gone toe-to-toe with the evil hackers of the East. Menn has created a thrilling and informative work that delves into the specifics of these two Internet heroes.

The book starts off telling the story of a young self-taught computer whiz named Barrett Lyon. Barrett becomes an expert in fighting off Denial of Service attacks. For those looking for an in-depth technical discussion of how Barrett wards off the attacks you will need to search elsewhere. The specific approaches that Prolexic takes are not described here; which in entirely appropriate in the context of how this story is told. Most of Barrett’s initial clients were in the Internet gambling business and were located out of the United States. He founds a company, Prolexic to provide a secure hosting environment to protect his clients from the Distributed Denial of Services attacks. Unfortunately for Barrett, the politics involved in running Prolexic get in the way of its mission and he decides to move on.
One of the main goals of the attackers was to extort money from the gambling sites. After many episodes of defending against the numerous extortion attempts Barrett tries to fight back. He contacts the FBI on many occasions, without much success. However, in researching the attacks on BetCRIS, one of clients, he gets the involvement of Andrew Crocker of England’s National Hi-Tech Crime Unit.

Menn expertly transitions the story to tales of Andrew Crocker. Crocker’s goal is to identity the criminals in Russia and bring them to justice. In the telling of this story, Menn sheds significant light on to why convicted these foes is such a challenge. At the core of the problem is that the Russian government does not want these people prosecuted. On the local level bribes of police and judicial employees keep the criminals out of jail. At the national level the criminal masterminds are protected by high-level operatives in the Russian government. They touch on the periphery of the Russian Business Network and speculate that the Russian government overlooks the illegal activities of these groups because they want to use this expertise to support political aims such as the suppression of dissent and information in places such as Georgia and Estonia.

One of the conclusions that Menn and the investigators come to is that the protocols of the Internet need to be redesigned. They were developed by the US government to build a distributed, resilient network, as which they have been an enormous success. The protocols were not developed with security in mind; it was not a consideration 35 years ago. Policing the Internet with current policies is extremely difficult if not impossible because the countries of the world have different objectives and place different emphasis on these crimes.
If you want a look into the Belly of the Beast, Fatal System Error
, is a great place to start.

Updating Varonis DA Immediately

2010-02-08T21:33:00.003-05:00

Varonis DatAdvantage updates the Work Area's File Permissions and User Information on a nightly basis. Sometimes, after performing significant changes to improve your security you want to get a view of the current state your server. To do that you need to run the nightly jobs. You can run those jobs manually in two ways. One is through the Configuration menu with the DA GUI. The other, which I prefer, is to go directly to the SQL Management Studio to perform the jobs so I can monitor their progress.

Here are the steps:

1) Run the AD Walk(s)

2) Run the File Walk for each server that you have updated.

3) When those jobs are finished run the Pull Walk.

After the Pull Walk is complete, you can restart the DatAdvantage UI and the permissions will be current.

Harden Your Service Accounts

2010-02-07T14:56:00.007-05:00

In many cases we have service accounts that need powerful privileges to perform their tasks. This power also means that there is an elevated level of risk associanted with these accounts. They could be used inappropriately to access resources without accountability, since they are not tied directly to a person. There are two steps that I recommend that people follow in locking fown these accounts. Both of these activities involve starting Active Directory Users and Groups and then selecting the Properties options on the selected service acccout. First, select the Terminal Services Profile and check the option to Deny this user permissions to log on to any Terminal Server. The screen shot is listed here:

Then we want to restrict the computers that the service account cal log into. This is found on the Account tab. Once on this tab, click on the Log On To command button. At this point enter the computer name(s) where the service account is used. This will limit the account to logging into only this machine.

Stop Monitoring a Server in Varonis

2010-01-26T12:08:00.002-05:00

When you have a Windows server that is going offline, but you want to retain all the historical information in Varonis ( the events and permissions) here are the steps you need to follow.

From within the Configuration Screen select File Servers. Then move to the server that you want to decommission.
1) Uncheck all of the boxes for Collect Events.
2) Uncheck the box for Local Accounts.
3) For each drive make sure the Crawl File System is set to Disable.
4) Click OK and you are all set.

8 Predictions for 2010 on Document Management Security

2010-01-08T11:23:00.001-05:00

Each year there seem to be more and more breaches in information security. Some only cause embarrassment; others could cause harm. Take a look at this list of my predictions that I prepared for AIIM. Could you be affected by any of these items? If so, start locking down your information effectively. I would love to hear your feedback.

Adobe Issues Update on Security Issues with Reader and Acrobat

2010-01-07T21:13:00.001-05:00

Adobe issued an advisory today giving more information about the securityissues with Adobe Acrobat and Reader. They plan to release a patch on January 12, 2010. Here is the security bulletin from Adobe.

The Big Switch

2009-12-26T15:17:00.004-05:00

Cloud computing is all the rage. According to Nicholas Carr, one of the unstoppable drivers is the economics of cloud computing. Carr uses the history of the electric industry to explain the historical forces that are in play today in the information technology market and that will move Information Technology to more and more of a utility computing model.

There is an informative description of companies such as YouTube who generate tremendous value by providing a platform with a small number of employees that millions of people add value to for free. This viral model has been used a number of times in the Internet space and is one of the forces that is negatively affecting traditional industries such as newspapers.

Carr also covers a number of the social changes that are occurring, including the loss of privacy, which in some ways was the opposite effect that early Internet pioneers predicted.

This is book is required reading for anyone who wants to understand the major forces that are moving the Information Technology field.

Buy The Big Switch: Rewiring the World, from Edison to Google
from Amazon now.

Adobe Reader is Vulnerable Again

2009-12-22T12:41:00.003-05:00

Back in May we first discussed the vulnerability in Adobe Reader. Once again, an issue has cropped up. I ask the question again, why doesn't Adobe release a standard verison of the reader without Javascript? Sure, it would disable some forms, but the bulk of users in the world want to read documents safely and not use forms. They could certainly have a Premium Reader with Javascript support for those people that need it.
Here is the statement from them, "Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.

Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue."

Here is a link to the security advisory.

Who Stole Those Emails

2009-12-01T18:14:00.003-05:00

I have started writing a column for Infonomics, the publishing portion of AIIM. The first column covers the basics of Information Security. Here is a link to The Article.

OWASP Releases 2010 - Top 10 Web Application Security Risks

2009-11-18T15:08:00.004-05:00

OWASP (Open Web Application Security Project) released the preliminary version of the Top 10 Web Application Security Risks in a Request for Comment format.

According to OWASP they plan "to release the final public release of the OWASP Top 10 -2010 during the first quarter of 2010 after a final, one-month public comment period ending December 31, 2009. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. This release has been significantly revised to clarify the focus on risk. To do this, we’ve detailed the threats, attacks, weaknesses, security controls, technical impacts, and business impacts associated with each risk. By adopting this approach, we hope to provide a model for how organizations can think beyond the ten risks here and figure out the most important risks that their applications create for their business."

The full document can be found on the OWASP web site.

The OWASP Top Ten has been a key driver in improving the security of Web applications across many industries. If you have any questions please ask Arthur, who is an active OWASP member.

HP Laserjet 3100 on Vista or Windows 7

2009-11-01T19:36:00.003-05:00

I have a wonderful HP Laserjet 3100 that is still working reliably after seven years of use. I recently added a new laptop that is running Vista Business (no choice in the matter) to my stable of machines. I still want to use this printer with the Vista machine, but HP has no drivers for the printer. What to do?

The printer is connected to a machine on my network running Windows XP Professional.

1) I added a new printer on the Windows XP machine without using Plug and Play. It was set up as an HP LaserJet II Series printer connected to LPT1 (The parallel port).
2) I shared out the printer as \\Machine\HPLJII
3) I went to the Vista laptop and added a network printer. Of course it didn't discover it so I clicked on the option "The printer I want isn't listed."
4) I manually entered the Share \\Machine\HPLJII, which the Vista machine recognized as a LaserJet II and bingo I was up and running.

This solution should work for a Windows 7 machine as well.

AIIM Garden State Chapter Meeting - November 12th

2009-10-27T22:52:00.004-04:00

I am attending the AIIM Garden State Chapter meeting on November 12, 2009.

The topic is "Social Media All You Need To Know: A to Z"

The meeting is at the Woodbridge Hilton, 120 Wood Avenue South -- Iselin, NJ

Key Takeaways:

Learn how to setup Twitter, LinkedIn and Facebook

Learn how to use Social Media to be found, find talent and promote your company

Learn what and how enterprise tools are utilizing Twitter, LinkedIn and Facebook

Speaker(s)

Michael Potters, The Glenmont Group
Rahul Nirula, OpenText

Meet with some of New Jersey's top IT recruiters at this event
Event Time Registration & hors d'oeuvres / Networking opportunities: 5:30 - 6:30 pm Presentation: 6:30 – 8:00 pm Dessert / Networking opportunities: 8:00- 8:30 pm
Fees* AIIM Members $30Non-Members $35On-Site + $10

I hope to see you there!

The Hacker Turned Serial Killer

2009-09-08T10:52:00.004-04:00

Just finished a very entertaining book, The Scarecrow, by Michael Connelly. I am not regularly a reader of crime fiction, but a friend who knew about my interest in information security suggested it to me. I really enjoyed it and was spooked by the effectiveness of the hacker. WIthout giving away any of the story, the hacker uses social engineering, trojan horses, viruses, and other nefarious techniques to further his criminal activities. I highly recommend it; you may just take better care of your personal information after reading it.

Restoring Deleted Permissions with Varonis

2009-08-20T22:54:00.008-04:00

This afternoon a hedge fund client called with a high profile problem. One of the system admins from their outsourcer had deleted all of the Active Directory permissions of the General Counsel. Not a great person to prevent from accessing the system. Since they are a Varonis DatAdvantage user, I was able to help them solve this problem.

We ran a query from the log area and selected "History of differences" as the data source. The keys were to set the "File Server" to "IDU" and set the "Change Description" to start with his fully defined domain account. Then we got a list of all of the groups that he belogned to and my client was able to restore them all and get the General Counsel up and running ASAP.

DatAdvantage to the rescue.

2009-08-19T09:22:00.001-04:00

Kudos to the Department of Justice for the indictment of Albert Gonzalez and two of his coconspirators. With all of the high profile data breaches occurring we need to take a deeper look at what is going on here. While TJX and Heartland may have been PCI compliant, they were still breached. The issue with most security approaches is that they focus primarily on “preventative” controls. There are not enough “detective” controls in place to make sure that if one of the preventative controls fails, there is someone or something there to notice. No defense is impenetrable and that is why we practice “defense in depth.”

In the case of Heartland Payments Systems, it is alleged that the hackers were siphoning off data for months and it wasn’t until Visa and MasterCard noticed the fraud, that Heartland found the breach. Some questions that companies should be asking themselves include:

Do you have in place a process to review audit logs from your firewalls and core routers on a regular basis?
Do you have a process in place to monitor the activities of privileged users and system accounts?
Do you have a formal entitlement review to verify that security is granted in a “least privilege” model?
Do you audit database and file system activity?
If any user was accessing an unusual amount of data, would anyone notice?

I would appreciate hearing your thoughts on these questions.

AIIM SharePoint Event - September 17, 2009

2009-08-11T09:12:00.003-04:00

On September 17 , 2009 the AIIM International Garden State Chapter is hosting a Panel Discussion and Networking Event and I will be one of the panelists. Here is some info in case you are interested in attending.

Register Here!
--------------------------------------------------------------------------------
Panel Topic: MS SharePoint – where is it headed?

· How is MS SharePoint different from traditional ECM products
· How well does MS SharePoint integrate with other ECM products
· What are the top ECM products being integrated with MS SharePoint
· How are companies leveraging MS SharePoint
· What are the "hot skills" in demand around the MS SharePoint

Panel Members:

· Allan Schweighardt, Senior Technology Strategist, Microsoft
· Joe Giegerich, President / Managing Partner, Gig Werks
· Kenneth Shea, Former Executive Director of Enabling Technology, KPMG
· Arthur Hedge III, President, Castle Ventures

Networking:

· Network, Network, Network!!
· Meet and talk with individuals from the industry
· Meet some top New Jersey's recruiters in the MS SharePoint space

Meeting Agenda

5:30 - 6:30 pm - Registration & hors d'oeuvres Networking opportunities
6:30 - 7:30 pm - Panel Discussion
7:30 - 8:30 pm - Dessert: Networking opportunities

Location:

The Woodbridge Hilton
120 Wood Avenue South
Iselin, NJ 08830
Tel: 732-494-6200

Fees:*

AIIM Members $30
Non-Members $35
On-Site + $10

*$10 discount for early registration (September 10th deadline)

Register Here!

Hope to see you there.

YouTube Hacked?

2009-08-07T12:40:00.002-04:00

Yesterday, Twitter and Facebook were attacked. Is YouTube being hacked today? There is a video about a healthcare protest that is not having its view counter updated. People have been commenting that the counter has been stuck at 1,338 views for a while. Has someone hacked into YouTube or is it just a bug?

Here is a link to the video.

Hacker Steals Domain Name

2009-08-05T09:58:00.006-04:00

The New Jersey State Police arrested a man who allegedly stole the P2P.com domain name. SC Magazine provides the details in this article "Hacker charged with domain name theft." What is troubling is that domain owners do not adequately protect their domain names. We have an offering that will analyze your risks for only $249. Please visit our website to learn more.

Please protect your Domain information.

SQL Server 2005 on Windows Server 2008

2009-08-04T16:26:00.004-04:00

If you want to install SQL Server 2005 with Reporting Services on Windows Server 2008 you have to jump through a few hoops. Reporting Services is dependent on IIS 6 and SQL Server 2008 runs IIS 7. However, there is the capability to emulate II6, which is critical to making this work.

There is a great blog post on this issue at iGregor, where he walks you through the exact configuration options to make this work.

Hope this helps all those who see that grayed out Reporting Services box in SQL Server 2005 install and are shaking their heads.

2009-08-03T09:44:00.003-04:00

I am planning to attend the August 5th New York SharePoint User Group meeting. It always well attended with somewhere between 50 and 150 people depending upon the evening. The meetings are the first Wednesday of the month at the Microsoft office in New York City.

Click here to register.

Hope to see you there

Is Senator Leahy a Capitalist?

2009-07-29T08:52:00.006-04:00

On July 22, 2009 Senator Patrick Leahy (D-VT) introduced the "Personal Data Privacy and Security Act" to combat the growing number of data breaches. As of July 24, 2009 the Privacy Rights Clearing House had calculated 263,214,232 records had been "lost." They are posting new breaches every week; and these are just those that are public knowledge.

We applaud Senator Leahy for tackling this important issue as it threatens the trust in the financial systems that we use and have become central to the American way of life.

However, several things strike me about the proposed legislation that protect the data brokers and not individuals. First in Section 303 dealing with the "Privacy and Security of Personally Identifiable Information" there is a prohibition against "private action." That protects the data brokers from being sued by the people that have been adversely affected by a data breach. If someone is defrauded out of tens of thousands of dollars because a company lost their records, there is no recourse to sue and try to recover damages and associated costs in dealing with the identify theft. How does that protect the consumer?

Second, Section 316 gives a breached organization 14 days to report the breach to law enforcement agencies (the Secret Service in this case). That is way too long. In 14 days hundreds of thousands of those records could be resold by hackers and be used in fraudulent transactions. Why not make the notification requirement 24 hours? Better safe than sorry.

More to follow on this legislation as it is a step in the right direction.

Identify Theft Comes to Payday Loans

2009-07-13T21:51:00.003-04:00

According to the Chicago Tribune a temporary worker from AT&T, Cassandra Walls, stole information on a number of her co-workers and took out at least 130 loans in their names. Some of the victims found out they had been scammed when collection agencies began calling them.

Let's hope that this identify thief and her co-conspirators are able to compensate all of their victims, even if they have to wait until they get out of prison.

Goldman Sachs Data Breach

2009-07-10T12:38:00.005-04:00

Earlier this week the FBI arrested Sergey Aleynikov for the theft of proprietary software from his employer, Goldman Sachs. The complaint is fascinating in providing insight as to what a leading financial institution is doing to protect its intellectual property. Here are some of the items that they had in place (we know there are more controls that were not revealed in the document):

Scanned and analyzed outgoing mail
Prohibited file transfers using ftp to outside locations
Recorded commands performed on the user's desktop
Logged access to systems
Monitored https traffic

Sergey was a sophisticated insider with technical skills who tried to cover his tracks, unfortunately for him, the security folks at Goldman Sachs were several steps ahead of him.

One other lesson that we should learn from the affidavit is that:

1) They had a written security policy.
2) That put tools in place to support that policy.
3) They had a security architecture in place to detect when the policy was being violated.

Kudos to the security team at Goldman and the FBI agents who arrested Aleynikov.

New York SharePoint Users Group Meeting - July 1

2009-06-17T15:27:00.002-04:00

I am planning to attend the July 1st SharePoint User Group meeting. It always well attended 50 to 150 people depending upon the evening. The meetings are the first Wednesday of the month at the Microsoft office in New York City.

http://www.sharepointusergroup.org/NewYork/default.aspx

Hope to see you there.

Renaming SQL Backup Files

2009-06-16T20:13:00.002-04:00

If you use a SQL 2005 Maintenance Plan to create backups of individual databases, the .bak files have a date stamp on them. I have a customer that wants to handle the files with an automated tool and would prefer that the backup files have a consistent name. We could backup up the databases en masse, but we wanted separate backups for this purpose.

The solution was to create a VB script that runs as a scheduled task and renames the files every night after the backups are run. Here is the code that I wrote to handle renaming all of the files.

-------------------------------

------------------------------------------

Note: this will fail in 2100. Just setting up some Y2100 work for your grandchildren.

Active Directory Security Groups

2009-06-06T08:57:00.007-04:00

Yesterday, during a Varonis training session, Paul Ezhaya started a great discussion by asking my opinion on strategies for naming security groups and organizing folders on file servers. The primary debate was whether to use security groups named after departments and roles or to use security groups named after folders that they provide access to. For example, if there was folder called Human Resources with sub-folders such as Employee Data, Forms, and Terminations, and folders specific to several departments how would we set this up from a security perspective? Would we create Active Directory groups based on Roles for the HR people who handle each department and then apply those groups to the corresponding folders on the file server? Or would we create AD groups named after the specific sub-folders and then add the specific people to those groups as needed? Along with the security groups we would take the lead in organizing the folder structure to match the security group naming conventions.

There is no “right” answer, but here are some of my thoughts on the Role versus Folder question.

In general, I prefer the Folder-based solution. The first reason is for the long-term security of your organization. Finding the data is always top priority so regardless of how you organize the folders; users will learn the taxonomy and adjust to it. You need to force the organization to apply security; therefore, if you organize the infrastructure in a secure manner, they won’t have to. Second, When you first set up your Role-based Security Groups you might have an accurate grouping of the users by department. However, over time people will not make the appropriate adjustments to those groups. After the initial setup fades away, when you add someone to a role-based security group to they can access a particular set of data, you may not realize what else that gives them access to. You may not it even give it any consideration because security will always be an afterthought. In a Folder-based solution, the security of the data is pushed to the forefront as the IT department knows what folders the Active Directory group gives them access to. And if the access is insufficient user will surely let you know, where the odds of them notifying you that they were given too much access in the Role-based scenario is highly unlikely.

Of course, we may have a hybrid approach. At the top level shares we might want to have security groups for the department and apply those at that level. Then we would turn off inheritance on folders with confidential data and apply the folder-based security to those folders. So we end up with a set of groups like this:

grp_HumanResources
grp_Terminations-RO
grp_Terminations-RW

Where RO is for the group with Read Only privileges and RW is the group with Modify privileges.

If there are other reasons for you to use a Role-based strategy then I would highly recommend an automated Identify Access Management system. I think that you will still find that the default will be to provide too much access, but the results will be better.

AIIM Garden State Chapter Meeting - Software as a Service

2009-05-26T21:17:00.004-04:00

I am a member of AIIM, which is a trade association and professional organization focused on the Enterprise Content Management market. The Garden State Chapter of AIIM is holding its next meeting on June 18, 2009 at the Woodbridge Hilton. The meeting starts at 5:00 p.m. and goes until 8:00 p.m.

There is a Panel Discussion: With panelists from Adobe, SpringCM and IPS covering "Software as a Service (SaaS) - a Better Solution?"

Does SaaS deliver on its promise to lower ECM costs?
Where does it fit in the market vs. hosted and in-house models?
Learn how companies are leveraging SaaS technologies Hear what the "hot skills" are in SaaS

Go to the Garden State Chapter web site to register.

There are plenty of networking opportunities as well.

Hope to see you there.

Adobe Acrobat Requires Critical Security Update

2009-05-19T23:29:00.001-04:00

It is astonishing that software that was created to present documents in a "neutral format", Adobe Acrobat, can be hacked. Another case of taking a great product and adding features that eventually take the software far beyond the original architecture and creating security vulnerabilities.

Why is JavaScript even an option in PDF files? PDF files were suppossed to be the safe alternative to documents that you might receive in formats such as Word. I guess that has gone by the wayside.

Here is the link to Adobe's update site.

US-CERT has more detail about the vulnerabilities and other workarounds and protection methods on their web site.

AIIM New York Metro Chapter Presentation - May 15, 2009

2009-05-15T15:23:00.000-04:00

I gave a presentation today to the New York Metro Chapter of AIIM on

"Is SharePoint the future of Enterprise Content Management?"

I described how SharePoint fits into the traditional ECM Marketplace, where it succeeds, where it falls short, and where it ventures far beyond ECM. Audience participation was great. We discussed where SharePoint is an appropriate solution for organizations and some of the challenges in implementing SharePoint to solve business problems.

Here is a copy of the presentation.

TechRepublic Reviews Varonis Suite

2009-05-04T20:31:00.000-04:00

The TechRepublic blogger Mark Kaelin has a review of the Varonis Data Governance suite.

Here is a link to the review.

Nice to see the product get some coverage, since it is the greatest thing since sliced bread (actually since VMware). The review mentioned three things that are wrong with the product, I take issue with two of them.

Issue 1 that I disagree with:

"Culture shock: The general principle of placing decision making concerning data governance in the hands of employees deep in the organization may be a significant change of policy for many established organizations, especially those with established hierarchical structures and controlling IT departments. "

One of the advantages of the Varonis solution is that you can start small, with one directory if you want, so that there is no need for any culture shock. Security provisioning by the user community can be rolled out as slowly or as quickly as the organization can handle.

Issue 2 that I disagree with:

"Cost and scope: The scope of the Varonis Data Governance Suite 4.0 does not come cheap. Not only will the entire organization have to buy-in to the concept, the initial software installation and training cost will be significant. This suite of software is most likely to be used in larger organizations with very specific and vital data governance needs. "

The cost of the solution relative to the value of the data is not significant and in terms of improved efficiency of IT administration the product more than justifies the cost. We have a number of customers that are small (250 users) and see significant benefit from the DatAdvantage product. Again the "enterprise" buy in is not a necessity for implementing the solution. Behind the scenes the DatAdvantage solution monitors and reports and access without disturbing anyone and the Data Privilege component can be rolled out directory by directory if you so desire.

How to we keep users aware of security concerns?

2009-05-03T09:16:00.000-04:00

An organization can only be successful in securing its data and assests if it is a company-wide effort. Most security failures involve a technical failure(s) as well as a human failure, through social engineering as an example. One of the challenges that we face in dealing with the user community is that we need them to be vigiliant all the time even though the threats that we face come very rarely (or hopefully not at all). I have several thoughts:

Design systems to take the rarity of threats into account and design better "detection" systems in addition to better "prevention" systems.
Vary the reminders that people get about security so they don't become oblivious to them.
Make sure that we design systems so they fail safely.

Are Your Admins Accountable?

2009-04-28T12:43:00.000-04:00

A comprehensive security process protecting critical assets needs to follow a basic outline such as this:

Prevention
Detection
Reaction
Correction

Access to servers is one area where I see this process break down all the time. First, people reasonably Prevent access with passwords. However, they use a common account such as Administrator; which seriously weakens the Detection and Reaction steps. If every system administrator is using the same privileged account to do their work, there is no accountability (a key component of detection) and no reasonable ability to React when something goes wrong.

CIOs, don't let your admins grow up to be cowboys! Make it a policy and practice to require that system administrators use their own accounts to perform their jobs.

SharePoint Designer is Free

2009-04-20T14:50:00.000-04:00

SharePoint has taken the world by storm. In almost all of our clients SharePoint has been deployed or is being discussed and this phenomenon is happening everywhere. SharePoint Designer is one of the key tools that you can use to customize the SharePoint experience without coding. Download it for free here. You can also use SharePoint Designer to do traditional HTML programming.

Two-factor authentication comes to Main Street

2009-04-02T08:29:00.000-04:00

Security can be a wonderful thing and if it is well thought out and it does not have to be onerous.

I have seen an increase in the number of merchants who are asking me for my billing zip code when using my American Express card. Walmart has been doing it for years. Many gas stations have started and last night, Walgreens asked me for the first time.

This is a great example of intelligent two-factor authentication. The transaction relies on “something I have,” the credit card, and “something I know,” the billing zip code. Something that is easy for me to remember.

This is much more effective than a signature because the credit card processor can easily validate my zip code as compared with analyzing handwriting. If security involves a cycle of:

Prevention
Detection
Reaction

the use of the Zip Code raises the ability of the bank and merchant to prevent and detect a fraudulent transaction.

Several years ago someone stole my credit card and spent about $300 before I noticed the next morning that the card was gone. Had the thief been asked my zip code, he never would have been able to order that $50 meal at McDonald’s. Let’s hope that more merchants follow this protocol and we see a drop in credit card theft, saving all of us money in the long run.

Unresolved SIDs

2009-03-14T12:09:00.000-04:00

When we are working on cleaning up security in a Active Directory environment using Varonis DatAdvantage, one of the common problems that we run across are SIDs that Varonis cannot resolve to a useful name. In most cases this is because someone has deleted the user from Active Directory, rather than just disabling the user account. However, there are cases when the SID (security identifier) represents a group or machine account. Here is an example:

SID: S-1-5-32-544

Nobody ever remembers what those are. In walks Jennifer!

A Varonis user that we were working with, Jennifer Crusade, found this great Knowledge Base article that explains common security identifiers in Windows operating systems.

http://support.microsoft.com/kb/243330

Hope this helps you resolve a question or two.

Turning off the Windows Server - Shutdown Event Tracker

2009-03-06T11:21:00.000-05:00

I often need to reboot the lab server that I am working on. One of the minor annoyances is the Shutdown Event Tracker that pops up and asks for a reason. When you are restarting the box several times during one work period this can be a real pain. So I learned how to shut it off.

Running gpedit.msc (Group Policy Object Editor) gives you the option to change this. Go to Computer Configuration:Administrative Templates:System and find the Display Shutdown Event Tracker settting.

Change the setting to Disabled and you are all set. Another minute saved.