tag:blogger.com,1999:blog-273383262024-03-13T03:55:12.921+00:00Security StoriesIf you tell enough stories, perhaps the moral will show up.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.comBlogger255125tag:blogger.com,1999:blog-27338326.post-2119380295522844652013-06-23T15:38:00.001+00:002013-06-23T15:48:30.937+00:00"Edward Snowden"I have been enjoying a lurid TV spy drama series called The Americans very much lately, so it's just possible that everything I have to say here is the result of too much stimulation and late night TV...<br />
<br />
I think that the whole Edward Snowden business smells very ratty indeed. Apparently he's on his way to Venezuela now, where he will, if he is lucky, spend the whole of the rest of his life hoping for a presidential pardon. Perhaps he will be consoled by his distraught pole-dancing girlfriend, and the occasional visit from Glen Greenwald. Or perhaps, and this is my expectation, on a day when the news is all elsewhere, he will disappear, and a few months later, someone looking like, but not too much like, him will walk into a well-remunerated, under-worked job at some sleepy agency of the US government.<br />
<br />
Yes, I think this is an operation. I'm not certain, and I'm somewhat less certain that Snowden knows it, but it seems the most likely explanation. There are three factors to this:<br />
<ol>
<li>The ridiculous melodrama: The girlfriend; The anguished father; The extraordinary claims of access; The cogent, rather rehearsed, interviews and the round-the-world tour. Snowden makes Assange look small-time.</li>
<li>The banality of the limited, studiously-vague, revelations. The internet is tapped. Of course it is. That is why we encrypt. Telephone metadata is passed on. That's horrible, but I can't claim to be surprised. Nothing to throw a career away over, except for one thing:</li>
<li>The claim that GCHQ can read Blackberry handsets. This is a huge deal, if they're referring to users connected to a Blackberry Enterprise system. The BES lets security-concious managers screw handsets down so tight that it's well-nigh impossible to get spyware on to them, and the telecoms operators don't have access to the keys of what is widely acknowledged to be a sound cryptosystem. Breaking that, reliably, is a massive success and yet it's thrown away as a minor point in one of the Guardian's articles.</li>
</ol>
The Blackberry thing is so huge that I can't help seeing it as the main motive. BES-managed Blackberries must have been a thorn in the side of communications spies for a long time. Breaking them means breaking the standard encryption algorithms, which can perhaps be done, on a huge scale, which probably can't, or alternatively, it means suborning the administrators of every government and diplomatic BES installation, which would be laborious and unreliable. It would be easier for everyone if diplomats and civil servants could be persuaded to just stop using them.<br />
<br />
Now the thing is, if that was my job, if I wanted to get adversaries off their BBs onto something I <i>could</i> tap, I would probably start with exactly this revelation. It wouldn't be true, but once it reached enough security officers, by a means that persuaded them they weren't supposed to know it, they would soon be doing my job for me. A leak, with some colour to make it plausible, wrapped up in enough spurious content that the gem -- as my targets would see it -- has to be dug for, is exactly the way to go. Of course, there's nothing to stop other reasons being true too. We could well also be looking at an opinion-testing exercise, a realisation that the phone and Internet tapping was going to leak at some time, and this at least puts it under some kind of control, and there may be other motives as well. But the basic structure, a controlled leak and a discredit for Blackberry is the core, and that is what I think Snowden, whether he knows it or not, is up to.<br />
<br />UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-20226771950097590292011-03-12T23:22:00.000+00:002011-03-12T23:22:15.307+00:00Coverage doesn't cover it; Why we need delinquency.<br />
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">I don’t think “coverage” targets and metrics for update-led systems like AV and patching do the job. It’s just as important to measure the AGE of non-compliance: the Delinquency. I want the reporting packages that come with AV and patch products to offer that number, and I’m vexed - really quite upset just now - that they don’t.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">The purpose and justification of compliance targets is to ensure that "enough" machines are current without wasting effort on too many fixes. In theory, “enough” means</span></span></div>
<ul style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-top: 0cm;" type="disc">
<li class="MsoNormal" style="margin-bottom: 0px; margin-left: 15px; margin-right: 0px; margin-top: 0px;"><span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">In the machine population as a whole, on average an installed malware infects (much) less than one other machine, so outbreaks are stifled ("herd immunity") and</span></span></li>
<li class="MsoNormal" style="margin-bottom: 0px; margin-left: 15px; margin-right: 0px; margin-top: 0px;"><span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">The probability of any individual machine being compromised is acceptably small considering its sensitivity.</span></span></li>
</ul>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">These factors could be measured and calculated, but in practice they aren’t. There are too many unknowns. In fact we adopt more or less arbitrary targets.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">Almost uniformly, targets for anti-malware signature systems and patching are routinely measured and set in terms of coverage. What percentage of the population is “out of date” or not installed at all?</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">My view is that that suits the manufacturer’s model where installers and updating systems work reliably and easily, where the bulk of the effort lies in the initial setup and maintenance is mostly a matter of ensuring the new-builds all carry the agent. When that’s true, why not aspire to 100% and set a target of 97%? The real world is somewhat different.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">Not so long ago, I faced a situation where a major vendor AV product was struggling to attain 80% coverage. The hardware was regular, the OS was XP, the builds were coming off a restricted set of images. We got plenty of high-quality support, but it was all about rectifying individual machines – try this, if that doesn’t work, try this. In that situation, the coverage metric was very unhelpful because it just doesn’t say what to do next, how to prioritise limited effort. Coverage can even be a negative guide if the support teams learn to focus on the easy wins, as the troublesome builds which may never have had a current scan will never be fixed. If you have a coverage target, it’s natural to fix the easy problems first – would you fix the AV on a dozen standard-build workstations, or that flaky build that runs that special system that nobody really understands? Are you going to reach out to the laptop users who never update? Or if you’re patching every server you have, except the domain controllers, the coverage looks fine, but the situation is dire…</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">The measure we want – and none of the reporting tools support it – is delinquency. Delinquency measures how long devices – servers, workstations – have been out of compliance. Admins faced with a delinquency target will be more motivated to fix the hard cases, or escalate them out of the system.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">Delinquency is the percentage of machines which are out of compliance now and have not been in compliance before some cut-off time. If you scan compliance on Monday, then the machines that were first noticed the previous Monday or before are your one-week delinquents. Of those, the ones that first showed up the Monday before that are your (yes) two-week delinquents.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">The timescales you use depends on how tightly you intend to ride rectification for that particular population. For example, for workstations, I would say that a target might be 10% of one-day delinquents, and zero% of one-weekers. I’m saying that we can accept quite a high percentage of non-compliant hosts, provided that we have confidence that all of them are getting fixed within the week – rebuilt or updated by hand if necessary.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">Servers, naturally, are different. For servers, the route to live is six weeks long and we get one reboot window per month. Many rectification processes involve a reboot. That’s part of the reason why coverage targets fail harder for servers. But for delinquency, we can say that our target is zero% of six-week delinquents – everything has to be fixed in the first reboot cycle after it goes bad – and all of a sudden we are getting somewhere.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">I’m not against coverage reporting. It’s good, and it tells a good story at management level. And coverage targets are necessary to control some very obvious ways to game delinquency! But delinquency allows you to manage:</span></span></div>
<ul style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-top: 0cm;" type="disc">
<li class="MsoNormal" style="margin-bottom: 0px; margin-left: 15px; margin-right: 0px; margin-top: 0px;"><span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">It gives you a clear “next action” – pick the oldest – to prioritise your rectification effort, and</span></span></li>
<li class="MsoNormal" style="margin-bottom: 0px; margin-left: 15px; margin-right: 0px; margin-top: 0px;"><span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">It’s compatible with a zero target – you just have to set the age of non-compliance to match your environment, available effort, and risk appetite</span></span></li>
</ul>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">On the downside, auditors tend to panic or look blank when you describe it to them. More seriously, it requires a history, and I guess it’s that dependency which means that it seems to be impossible to get figures out of the reporting packages.</span></span></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="MsoNormal" style="border-collapse: collapse; font-family: arial, sans-serif; font-size: 13px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span style="font-family: Arial; font-size: x-small;"><span style="font-size: 10pt;">And that’s why I’m ranting! I’ve just had to give up delinquency reporting as the hand-built tool I used became too hard to maintain with a change of platform. I’ve had to move back to checking coverage and keeping private little lists of troublemakers, and it feels like a real step backwards.</span></span></div>UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-65417811302255563162010-10-03T20:53:00.001+00:002010-10-03T21:05:35.185+00:00We Are At War!<p>Possibly. The story has been running in the computer press for a fortnight or so -- google “Stuxnet Iran” but it’s gone mainstream with <a href="http://www.economist.com/node/17147818">articles in the Economist</a> this week.
<p>A specific malware -- called Stuxnet by its original discoverers -- turns out to be:<ul>
<li>Very sophisticated, robust and prolific, particularly well able to travel on USB memory sticks to infect systems kept off the Internet
<li>Targeted rather specifically to attack WinCC, a notoriously insecure plant and process control system from Siemens
<li>And, weirder, even at sites running WinCC, despite all that specicifity, it doesn’t do any of the harm it is capable of. Except in Iran.</ul>
Because it seems that the Iranian nuclear fuel and reactor plants run WinCC. And when it’s activated in Iran -- the details of that aren’t clear -- it causes harm.
<p>Cutting a long story short, the line offered to us is that Stuxnet was build by a well-resourced team to smash up the centrifuges at Natanz or even the reactors, by disabling the computers that manage them. The Americans are <a href="http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage">said to have form here</a>. The Israelis have an obvious interest. And both nations have deep capabilities in development and experts in malware analysis.
<p>I think this could very well be true. Stuxnet is really hard to explain on any other theory. It “wasted” a previously unknown Windows vulnerability on an esoteric target -- a weakness that could have made millions installing Zeus to collect banking passwords. The “waste” is just as gross when you consider the huge skill and work that’s gone into the code -- just to bugger up some plant for no obvious economic benefit.
<p>So, Stuxnet is a weapon in an undeclared war against Iran. And that’s interesting because it’s a first look since Titan Rain at what modern information weapons look like. And what do they look like?
<p>
Well, unimpressive, mostly:<ul>
<li><b>Slow</b>. Stuxnet has been around for months, and if there was an effect at Natanz, it took a while.
<li><b>Expensive</b>. There’s a lot of effort in that code, no doubt, and a lot of investment in the test and development rig it first ran on, but the real cost is that as soon as it goes public it betrays the zero-day vulnerabilities it depends on for its unique spreading capabilities. Zero-days are wasting assets -- and the clock starts running the moment they’re used.
<li><b>Weakly targeted.</b> Stuxnet went global. It was designed to limit the harm in non-target sites, but it would be better from the security point of view if it had never got there. Global distribution tipped off every WinCC site, including the Iranians to get smart.
<li><b>Limited scale</b>. You can’t do wave after wave of this sort of attack, as the victim will tighten up their patching and filtering, and at any time the supply of zero-days is limited.
<li><b>Limited effect.</b> The Iranians still have a nuclear programme.
<li>And, finally, there’s <b>no magic</b>. No doubt Stuxnet is quality work, but it’s just a well made malware. Like all current malware, it’s a combination of understood techniques.</ul>
<p>That last one seems crucial to me. If you do all the things that you should be doing to manage routine malware and zero-days: endpoint, removable media, gateways; then you’re also, and entirely for free, building yourself a bunker which will stifle many of the best efforts of the “cyber” warriors.
<p>I’ve been meaning to write about the boondoggle called information war, but it will have to wait. All I’m going to say here is that I’ve felt for some time that even the idea of IW is unsound -- a hysterical reaction to the pathetic network security seen in the United States and the defence establishments of other countries. If Gary Mackinnon can break into your systems by guessing telnet passwords, then, yes, probably you are at risk to rather broad attacks. But that has <b>nothing </b>to do with expanding warfare into the cyber domain and, frankly, <b>everything </b>to do with being a tosspot.
<p>In the meantime, for the rest of us, the lesson of Stuxnet is that Information Warfare is, and remains, a matter for routine operational security.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-56150758728707952482010-09-19T22:18:00.001+00:002010-09-19T22:25:08.930+00:00NightmareOK. Another good title would have been "Idiot." It's a lesson to me. The lessons for you are at the bottom.
<p>It all seemed so reasonable. The screen on my phone was going mental and it had to go for repair. I don't know enough about Android to be sure I'd erased sensitive info and so instead I had to change passwords for every app I used: Facebook, Twitter, my Google account and my email too. Just good practice. The phone was going in on Monday, so that's what I did on Sunday night. I was quite proud of myself.
<p>Now I'm not foolish. I know the risks. I wrote the new passwords down on a piece of paper, and tested them (Can you see where this is going? No, actually you can't. Read on.) My memory of that is very plain, though I was getting sicker minute by minute. I struggled back to town on the Monday, and spent the rest of the week pre-occupied with a really horrible cold.
<p>Back in Kent on Friday night, I thought I'd try and catch up with a week's worth of Twitter timeline. Except I can't log on. Check the bit of paper. Try cAPS lOCK. Try spaces or a punctuation trick. Nope. Try Facebook -- straight in. OK, so it's a silly error, and all I need is a password reset. Off to my mail to pick it up -- can't log on. Arses. Nothing I can think of will get me in. I even have a cached Twitter logon, but it won't let me change my email without knowing the password. And that won't help me get my email password back.
<p>This is the fundamental problem with free services. There's no escalation. And by this time I was getting seriously vexed. It didn't help my peace of mind that there's a spate of password "guessing" attacks against personal email accounts at the moment. Or that the help page for my email blandly told me that the reset would be sent to my secondary email when I didn't have one.
<p>So it's a good thing that there's one thing I don't get free: domain hosting. I pay a very large fee to use the excellent EasyDNS. I don't go there often enough to remember my password, but they do have a recovery system, and they do have a telephone with actual people who could change the email address once I was able to prove identity. Once I could change the zone file for my domain I could haul my way back into my mail. Hurrah.
<p>So, yes, what are the <b>lessons?</b>
<ol>
<li>Obviously, you can't remember all your passwords. Duh!</li>
<li>Writing them down ought to be good enough but it <b>isn't</b>. Empirically proven! (Idiot.)</li>
<li>You need a plan. At the very least you need to be able to say routinely that all your password resets will come to some email account or other. Realistically that has to be your main account because the same address is used by most services for ordinary communication.</li>
<li>You need a password on your main email account which is different from the password you use anywhere else. Why? Because if any other service has its user/password list stolen, the thieves'll be trying that password to get into your mail, and once they're in, they'll lock you out and steal your identity. A whole different nightmare, but quite common these days.</li>
<li>You need another email account you can trust to receive resets on your main email. I have a good relationship with my employers so I'm using my work account. You might pick someone you can trust (but who doesn't have an engrossing interest in you -- that could go seriously wrong) and set up a mutual arrangement. Or Hotmail accounts seem pretty permanent these days.</li>
<li>And finally, you need to CHECK the password recovery options every once in a while. This happened to me once before and the route back in was easy -- but it doesn't work any more. And when you have checked, you need to test.</li>
</ol>UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-66199751453179619662010-07-15T22:25:00.002+00:002010-07-15T22:32:12.926+00:00Latex as a Security Tool<p>I hope I don't disappoint you here.<p>After a couple of dirty (ooer) jobs over the weekend I felt moved to write about the benefit I've been getting from my big box of disposable gloves. <p>Five pounds gets a hundred latex gloves -- male sizes -- at Screwfix and at 5p each you can use them for almost anything (and as they really don't keep for long you do need to use them up.) Just over the last few days, I've protected my hands against grease, drain overflows and -- ahem -- biologically active matter. Barrier creams can work and are more comfortable, but the gloves give you a better grip for tools, you can wear gauntlets over them and they come off when you're finished.<p>And, Security? Well yes. A couple of years ago I spent a week in hospital with an infected finger joint that wasn't playing nicely with the antibiotics. It was pretty scary -- an unmanaged replicator would be a very 21st century way to die, and I never found out where it came from. The best guess was some tiny wound on the finger went septic and my hands do get a lot of abuse. Since then, out of fear, I've been trying to keep them clean and intact as far as possible. All hail cheap latex gloves.<p>Was that a disappointment? Well I'm sorry, and I will go so far to say you look pretty good in your black PVC LBD. But get yourself some gloves as well, for safety's sake.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-14611398149416393682010-06-19T12:04:00.003+00:002011-07-16T07:18:55.198+00:00Barefoot Security Anti MalwareI do get asked for security advice, but not that often these days. Often, much more often, I want to tell people, to SAVE them. Yes.
<br />
So this a worked-up version of an email I send out. It's how to keep control of your computer, your data and your passwords by preventing malware on your PC. I'm aiming at the ordinary PC/Windows user with occasional notes about Apple and Linux. It's in rough priority order, and it's mostly advice I follow myself (though it's not all of the paranoid steps I take.)
<br />
If you think I should have put AV software top of the list, you should remember that <i><b>I</b></i> am a security <b><i>Expert</i></b>. Yes, and I have business cards which say just that.
<br />
<table cellpadding="5" cellspacing="5">
<tbody>
<tr bgcolor="#FF4444">
<td valign="top"><b>Keep your Thinking Cap Securely ON </b>
</td>
<td>Why on earth would you click on THAT?
<br />
If the answer is "because THOSE sites are the ones I chiefly love looking at" then you need to pay close attention to the rest of this list.
<br />
And if you say "because I'm human and I'm not 100% focussed 100% of the time" then you should read on too.
</td></tr>
<tr bgcolor="#FF5555">
<td valign="top"><b>Backup your Files </b>
</td>
<td>Anything you care about should be on media which you don't leave plugged in. There are some nasty malware infections which are simplest to eradicate with a format and restore, so backups are essential. (And there's always fire, flood, technical failure and stupidity, if malware doesn't worry you!)
<br />
It's a big topic. You need to think about having a regular system that will show you if copies get lost or aren't taken, about, testing your backups, satisfying any data protection obligations, encryption if you worry about people reading it, and keeping media out of the range of that fire/flood/whatever.
<br />
It's a shame that it's a top priority as it's none too easy. If you're in doubt about how to do this, I suggest you set up with a UK online backup services, test their software, check their prices and get value out of their support line!
</td>
</tr>
<tr bgcolor="#FF6666">
<td valign="top"><b>Don't do PC Work as an Administrator </b>
</td>
<td>This is really just for Windows users as Mac and Linux set it up correctly anyway. Windows 7 and Vista are better, but you should still arrange to work as a non-admin.<br />
In XP, go into the control panel and set up a new admin account. Then make your regular account into a limited user. Use the limited account for all browsing, email, word processing etc. Only use the admin account to install software, add new hardware, and set up users.<br />
This simple trick stops a proportion of Windows malware, when malware programmers are lazy and assume you haven't taken this precaution -- as most people haven't. Even though attackers are wising up now, and plenty of password stealers and others will now install without admin, it's still an important precaution because it stops rootkits, and ensures that installed malware is easier to clean off.<br />
The problem is that other programmers, especially games programmers, are just as lazy as malware authors so their stuff won't work. Software which insists on admin privileges to run (rather than to install) should be rejected as unfit. If you're stuck with it, investigate "run as".</td>
</tr>
<tr bgcolor="#FF7777">
<td valign="top"><b>Apply Security Fixes </b>
</td>
<td>Ensure that all security updates apply automatically. Malware uses unpatched vulnerabilities to install. Vulnerabilities are sometimes being exploited even before they are fixed, so ignore people who say you should wait a few days -- it's too complicated, and the risk of you forgetting or being exploited in those few days is much greater than that of a bad patch.
<br />
In Windows take a moment to turn the software firewall on, as that setting is nearby.
</td>
</tr>
<tr bgcolor="#FF8888">
<td valign="top"><b>Keep your Auxilliary Programs Up To Date </b>
</td>
<td>Make sure that all of the extra stuff you need for the full experience (Adobe Reader, Flash, Shockwave, Quicktime, Java) are up to date. <a href="http://secunia.com/vulnerability_scanning/personal/">Secunia Inspector</a> is a good way to check.
<br />
Most modern attacks arrive through these products. If you use Office, Photoshop or whatever make sure you get updates for that too.
</td>
</tr>
<tr bgcolor="#FF9999">
<td valign="top"><b>Use a Less Common Browser </b>
</td>
<td>On Windows, don't use Internet Explorer (except for updates where it makes you do it.) On Mac, don't use Safari. Malware authors naturally target the common browsers.
<br />
On Windows, install and use Google Chrome browser because it can update itself as a non-admin (unlike Firefox). If you must browse as an admin, install Firefox and learn to use it with NoScript.
<br />
Also in Windows, take the time to keep IE up to date. Even if you think you're not using it, you don't want old versions on your PC.
</td>
</tr>
<tr bgcolor="#FFAAAA">
<td valign="top"><b>Use AV Software </b>
</td>
<td>On Windows, <a href="http://www.microsoft.com/security_essentials/">Microsoft Security Essentials</a> is good enough -- free, unobtrusive and good quality -- if you avoid admin browsing and email. Check that it is updating automatically.
<br />
I confess I don't run AV myself, but it seems like a necessity for people who like to test animated cursors or other oddments.
</td>
</tr>
<tr bgcolor="#FFBBBB">
<td valign="top"><b>Disable the Big Adobe Reader Mistakes </b>
</td>
<td>Adobe stuff needs special attention. There's just so much malware targeting it, and it's not easy to keep up with the updates. PDF used to be a handy document format, now it's a malware magnet. Reader X (10) is an improvement, but it's still a bore. You have to switch off the idiot features that Adobe added.<br />
Start the Adobe Reader and pull down Edit/Preferences…
<br />
<ul>
<li>Select Trust Manager in the list and clear the checkbox marked "Allow opening of non-PDF file attachments with external applications"
</li>
<li>Select JavaScript and clear the checkbox marked "Enable Acrobat JavaScript"</li>
</ul>
You need to repeat for every user account that uses Reader. There are equivalent settings in Acrobat if you use that -- you'll need to find them yourself.</td>
</tr>
</tbody></table>
So will these make you secure? Well, no; nothing will. But they will stop you from being a soft target. If you have secrets to keep, there's a whole other journey about understanding the settings on your accounts, encrypting data and the rest. But that is another post.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-54922392893361211122010-04-10T23:03:00.000+00:002010-04-10T23:03:05.990+00:00Organisational Truth Lies in the Email Distribution Lists<p>Now this is a really good idea.<blockquote> "All data access should be approved by the data owner"</blockquote> That sounds so reasonable, it's easy for the auditor to say. But it's absolute murder in practice:</p><p>Most access is routine, and based on who you work for. Requiring an approval for this sort of access diverts effort and attention and provides no real control because if the facts are right, the access is approved unthinkingly.</p><p>I've been messing around with the idea that the official org chart from HR is a suitable proxy for this sort of approval. Essentially, I'm claiming that if the line is on the chart then the manager can't -- won't even be asked -- to decline access to his own team's area. And the same would go for project managers: if you're on the team, you're in the folder.</p><p>Now that's an OK sort of plan except for one detail: The org chart is wrong most or all of the time. Lot's of temps are missing and there are important lines that never get on to paper. To be fair, the people who manage it never intended it to be a moment-to-moment authority, but that, unfortunately, is what I want.</p><p>I could actually live with that loosesness -- "Good enough" is a lot better than most people's practice, and I think it would do. But we can go a little better, thanks to Kate.</p><p>This afternoon I was tidying some permissions, and I ran into trouble because the team group was wrong. And Kate, bless her white pate, told me to populate the group from the team mail list.</p><p>I can do something with this!</p><p>Because one thing that managers and their PAs care about is that the team or project distribution list is OK. It'll be updated when the structure changes, and everyone will be on it. If you work for two bosses you'll be on both lists. And, crucially, with Exchange, distribution lists can feature in access control -- you just have to turn on "security-enabled." </p><p>Do you see where I'm going? The distribution list structure, with its nesting, is a true org chart, kept up to date by people who care and understand what it means. And that means that it can be used for all your "because he works for me" approvals, without dealing with the constant stream of "oh that changed" errors. </p> <p>Finally!</p>UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-42370268957585424512010-04-07T22:50:00.001+00:002010-10-03T21:00:41.867+00:00It's OK -- It's Just Normal<p><a href="http://www.kentonline.co.uk/kent_messenger/news/2010/april/1/rapist_is_on_the_list_for_hear.aspx">Stupid article in Friday's Kent Messenger</a> about a rapist on the transplant list. The editorial comment asked the question "Would you donate your heart to a Rapist?</p> <p>Well, the obvious answer is "No: I'm still using it," but it's still worth a look because it makes a rather wonderful example of the way normals think.</p> <p>As far as I can tell, it's not a joke. We're not intended to say "No, and he shouldn't get blood transfusions either" or "No, and donor registration should allow you to opt out of patients with unpaid parking tickets as well." Or, and I particularly like this one, "No, and convicts should be denied medical attention generally."</p> <p>Someone wrote this, someone subbed it and the editor put it on the front page of the Maidstone edition. None of them gave it the ten seconds thought required to see that there's no principle here, that even if the transplant immunologists didn't already have enough to worry about, there's no line, no criterion offered which will serve to guide donors or doctors.</p><p>There is a real story -- that some judges are much too prone to make stupid remarks -- and I'm hoping that it wasn't just cynicism that got it covered this way. I can't really object to journos who fail to take an idea to its limits to see where it goes. It is, after all, just normal. </p>UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-18677907173053607262010-02-22T10:25:00.001+00:002010-02-22T10:32:44.159+00:00Ballistic Brown<p><a href="http://www.telegraph.co.uk/news/newstopics/politics/gordon-brown/7287706/Gordon-Brown-criticised-by-anti-bullying-chief.html" >This story</a> feels like it's being pushed by someone hostile. But I see it -- and trust it as far as -- any other dodgy authentication issue. It's only OK for a bullying hotline to trust your word about your identity if all they'll do is give advice.
<p>Because otherwise it allows callers to build a slanderous paqper trail.
<p>The only reason i don't believe this actually is a long-planned operation to discredit the PM is that no-one could possibly have imagined that the woman would be daft enough to go public.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-13253955294511862212010-02-14T00:01:00.000+00:002010-02-14T00:01:00.168+00:00Safety FirstI don't believe the LHC will bring the universe to an end when they switch on the second beam and start getting relativistic collisions. The energies are simply too low.<br />
But just for safety's sake, I'm testing the scheduled posting feature in Blogger. I had this story booked to go for Christmas morning 2008 when I figured they'll be running both beams by the end of December.<br />
But they broke it and broke it again. The latest news I have (18/10/2009) is it'll be running early in the new year, so Valentine's Day is a safe bet.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-36152373897472317912010-01-14T18:57:00.000+00:002010-01-14T18:57:29.066+00:00It's a Dirty Job<p>Diane gets sex spam and she doesn't like it. She's sent up an offensive example.
<p>Now I don't know why the filth heads toward her mailbox, but a quick look at her quarantine shows that there's plenty of raw ... offers ... being blocked. A closer look at the one that got through reveals the reason. There's not a single dirty or ambiguous word, it's barely even English:
<blockquote>
If you are disappointed in its second half, bold, come in.
I can do for you is - what can not no girl! enter here (a link).
</blockquote>
Where's the harm in that? Well, it's obvious. Obvious to me and obvious to Diane too. But utterly undetectable to to the machine that's trying to keep solicitations out of her mailbox.
<p>So I have to go down and tell the lady that her basic problem is her dirty, dirty mind.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-18723879407219883742010-01-03T22:05:00.002+00:002010-01-03T22:07:51.806+00:00UnwiredOver the last few weekends -- say 20 hours work total -- I've laid over the first hedge I planted here -- about 50 yards of "native mix" with the hazel taken out and used elsewhere. It's gone well. I'll never be fast at that job -- I enjoy the looking much too well -- but it's a real eye opener to see how much easier it all goes when you don't have to spend time de-wiring. And it's interesting to see what other planting-time lessons there are to learn.
<ul><li>Rabbit guards are a must. The plants mostly survived, but I reckon they're a year or so back, and the ground-level damage makes them harder to split and bend over.</li>
<li>Ignore the supplier's sincere advice to plant these bare-rooted slips in a trench of tilled soil. Even six years on, the roots move when you strain the plants around the spiles. Slide them into the clay down the back of a spade and they'll be forced to set firm roots in the clay.</li>
<li>Another piece of gardening advice to avoid is to take the top of the slip off so that they bush out. A bush is useless -- you have to strip it all off when you lay. What you want is tall, spindly whips, so just leave them be.</li>
<li>Never plant blackthorn. Duh.</li>
<li>Don't plant briars with the rest of the hedge. Until it's laid over they just get in the way. </li>
<li>So the mix, if you don't fancy just hawthorn, would be five hawthorn, one spindle, one hazel and one fruiting tree depending on your taste -- mine would be beech. Then come back when you've laid it and put a dog briar in each of the gaps. </li></ul>UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-5962522849756921862009-12-13T22:17:00.000+00:002009-12-13T22:17:41.584+00:00Not Invented HereThis has got nothing to do with anything I know about, but it's got me cross so here goes.
<p>My little Samsung music player is old now, but it does all I want. It loads up as though it was a USB stick. I can find the music I want navigating up and down the directory tree with folder and track names showing on the tiny four-line display. It plays .wma, .ogg and .mp3 files, and when I'm bored with my files, there's an FM radio.
<p>I would have thought that this counted as some sort of baseline. iPods have a display for album art and video. Other players have integrated phones, or glossy appearance, or Bluetooth audio, or who-knows-what magic. But for a £40 player, I was happy.
<p>One thing the Samsung doesn't have is the oomph to drive any sort of speaker without caning the battery. Nor should it, but it's a bit frustrating sometimes when your ears are tired of buds, that there's no way to fill the room with it.
<p>This shouldn't be a problem these days. Quite a lot of music centres and boom boxes support "USB" which is a shorthand for digital music on popular media. Except they don't -- the support is rubbish. I looked at Cambridge One and the Yamaha desktop music player -- both about £300 -- and they were both really disappointing:
<ul><li>For a start, it's MP3 only. Compared with my Samsung, the hifi designers have vast resources of electrical power and size, so there's no excuse for limiting the playback decoders.
<li>There's not much point in a remote if the buttons are hopelessly obscure. The navigation is hard.
<li>And it's worse when the UI can't even display a directory listing. I've got 2GB of music on that thing and ignoring directory names is not going to help.
<li>And in the 21st century, I reckon we're entitled to a decent screen, but what we're offered is a single line. I felt that I was fortunate under the circs to see the ID3 tags in an unsatisfactory fixed-rate marquee.
</ul>
What's happened here is that someone has made the minimum possible hack to the code that plays MP3 CDs. The idea of picking up a few hints from the players made in a different division of the same firm just never occurs to anyone.
All I want is something that can play the same files as a cheapo portable, and provides a simple user interface. Hard? Apparently so.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-89400917219485413382009-11-27T23:51:00.001+00:002009-11-27T23:54:44.437+00:00Cerys Matthews had a Baby.Super!UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-26229511485276100712009-11-21T23:32:00.000+00:002009-11-21T23:32:32.513+00:00What Goes into the W7 WorkstationFirst look into the Security Guide in the <a href="http://technet.microsoft.com/en-us/library/ee712767.aspx">Windows 7 Security Compliance Management Toolkit</a>. It's an interesting read and there's a lot of potential goodies. The takeaways for me are:
<ul><li>UAC looks good, but when you get down to it, there's less than you want. In particular you still need a really non-admin account for browsing and reading mail and it won't save ordinary users from cockups -- so they still can't be admins. Good. (Mark Russinovich says that the real purpose of UAC is to force developers to make their code work as non-admin. Better.)</li>
<li>The policy can all be pushed from group policy. The price of this is that W7 machines will need their own OU tree.</li>
<li>There are some sexy, seeeexy audit log options. A whole lot more to set.</li>
<li>There's an easier replacement for software restriction, but it relies on signed code.</li>
<li>Finer-grained control over devices means we might be able to have one less agent in the build</li>
<li>Still not sure about the malware tools. I can't see why I would object to the Malicious Software Removal Tool but the old rule about not mixing AV solutions may apply here. The native tools aren't enterprise capable, so they'll have to go.</li>
<li>This may be time for SUS. The solution we have is more capable, but since we only ever push MS hotfixes with it, I might just choose to save the licence fee.</li>
<li>They seem to have de-emphasised routine IPSEC since Vista, but I may have misssed the crucial bit.</li></ul>
I need a W7 install to play with.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-73999389557354913262009-11-20T23:28:00.000+00:002009-11-20T23:28:57.973+00:00You know you're a security professional if ......you ask the designers what the operational <b>meaning</b> of a user group is.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-55078316230240776892009-11-13T10:32:00.000+00:002009-11-13T10:32:00.275+00:00Performance problem? No, it's a security issue...We block Internet browsing for accounts in admin groups. It's a malware control and I like it. But we hit a strange little problem with this using one particular app. It was fast to start with ordinary console accounts, but privileged accounts were really slow. It took a smart lad -- not me -- with a protocol analyser to spot that the startup sequence involved a certificate authentication, and the host certificate had a CRL access point at an Internet URL. The admin accounts couldn't reach this so they had to go through an agonising timeout. Problem solved!UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-88315368377714978562009-11-08T13:12:00.002+00:002009-11-15T12:21:05.703+00:00An Aid to PromptnessIt has been scientifically proven (by letting my music player run down) that an exercise mix track with at least 50% Girls Aloud (and other Xenomania <a href="http://www.amazon.co.uk/Trilby-Oxford-Worlds-Classics-Maurier/dp/0199538808/">Trilbies</a>) gets you to to work ten minutes earlier.
<p>PS. This only works if you walk to work. On the train? I can't help you.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-81429707880904711052009-11-07T00:26:00.001+00:002009-11-15T12:20:11.022+00:00Google DashboardSo now we have the Google dashboard <a href="http://www.google.com/dashboard">www.google.com/dashboard</a> -- everything Google knows about you in the one place. Well that would be jolly nice, but it's really everything Google knows about your Google account, which is a slightly different thing.
<p>Because it misses all those unauthenticated search strings which are Google's actual meat and drink. And there are already <a href="http://www.computerworld.com/s/article/9140411/Dashboard_shows_what_Google_knows_about_you">complaints</a> about this.
<p>But I won't be complaining. Because unless you co-operate with Google cookies, what that would show is everything sought from your IP address, which if it's like any of mine is NATed. Do you want to see what everyone in the firm has sought? Do you want them to see your searches? I think not!UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-23260391632254118672009-11-07T00:11:00.002+00:002009-11-07T00:13:17.407+00:00Convenience<p>I'll be hedgelaying along the road again this year, so appearance matters a little more. And at the same time I've pretty much run out of all the odd offcuts I've been using to hold it all together. Privet was good -- it grows into hard straight rods -- but it's all gone now.
<p> I've asked all over but asking for "posts for hedgelaying" draws a blank -- you get offered fencing pales at eighteen shillings each. It's overkill and at two per yard it runs into expense.
<p> It doesn't look like I'll ever find the canonical Hazel rods, so I'm falling back on plan B. I rang up one of the woodsmen in the Wealden Advertiser -- Brede Valley Fencing -- and asked him to make me the same pales used for cleft chestnut wire fencing, but five foot long and without the wire. He quoted me five shillings each and I bought four hundred which will keep me going for a while. They filled up the back of the Galaxy and I drove cautiously home, delighted by the smell of the fresh green wood.
<p> Here they are in the shed. It's a weight off my mind. I feel I can set to work without worrying about running out.
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzrWIDmU0qPuJf6qm4OSUc9s3r1zjEmfMU4gcaskT6iyjl-eeCHYrJa9TQMjnaVc5orjRGLF94DV6QEiKPe86gWzrN9-2p9hnud99bG5ctXWByOLPH0VFH7PHM0IgAnWA9Olzx/s1600-h/pales.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzrWIDmU0qPuJf6qm4OSUc9s3r1zjEmfMU4gcaskT6iyjl-eeCHYrJa9TQMjnaVc5orjRGLF94DV6QEiKPe86gWzrN9-2p9hnud99bG5ctXWByOLPH0VFH7PHM0IgAnWA9Olzx/s320/pales.JPG" /></a><br />
<p> Benders? No need -- I've got Willow wands coming out of my ears, and that certainly gets attention on the commuter train.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-31886985278601147362009-11-06T23:43:00.001+00:002009-11-07T00:14:01.065+00:00The non-Build Build<p>From time to time we issue non-build laptops to people who want to use the SSL VPN but don't have a suitable personal machine . It's not a practice that gives me much pleasure, as the temptation will always be to assume that it's OK to put firms data on one of these. And it's not.
<p>So I've been developing a little list: what we should do to a standard manufacturer's XP install so that it can be placed in the permanent, unmanaged care of a regular user. Here's what I have:<ul>
<li>Truecrypt set up for the system partition. (If there's and I386 on d: or e:, leave that in clear.) Why encryption? 1) because I don't trust them not to put firms data on it, and 2) it's an immediate downer for a thief.</li>
<li>The <a href="http://www.mvps.org/winhelp2002/hosts.htm">MVPS hosts file</a>. It doesn't auto update, but it's a good start.</li>
<li>Default Browser: Chrome. It's not IE so it's under attacker's radar, but it does auto update even if you never run as admin</li>
<li>Microsoft AV -- seems to have difficulty with non-admin updates, but better than nothing.</li>
<li>The default log in takes you to a non-admin account.</li>
<li>Default settings on the Windows firewall, and Windows update.</li>
</ul>It's not much -- in particular you can't make Adobe and Java auto update on a non-admin machine, but it is better than nothing.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-4350693471299399332009-11-01T22:30:00.001+00:002009-11-01T22:30:52.394+00:00Spam Counter - 2009 October: 1032Mostly watchesUMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-82043327217796296742009-10-23T23:21:00.004+00:002009-11-15T12:18:03.980+00:00The Future Still Isn't Right, pt II<p><a href="http://securitystories.blogspot.com/2008/08/china-stole-productivity-revolution.html">And another thing</a>. Spectacles. I had my eyes tested today and my prescription has shifted again. Fair enough, and I've opted to head off into the world of varifocals with a pair of single vision driving specs, and what's called occupational lenses which shade from VDU at the top down to reading at the bottom. There are three grades of optical efficiency to choose from, optional high index plastic to reduce the weight, optional quarterwave coating for transparency, and an (optional) hardness treatment. With correction and astigmatism in the basic prescription, the Dear only knows how many possible variations on the basic format that is.
</p><p>During the test, I could opt to have my retina photographed for reference (for a tenner, how could I not?) and a chance to compare it with the lovely optometrist's album of interesting eyeballs. And the whole thing was conducted at a time and place to suit me. It was the very model of the modern custom shopping experience.
</p><p>But if choice is the aim, why, for the love of every holy thing, do they only make spectacle frames in two sizes: too small, and much too fucking small? Am I the only person in the world with a head like a watermelon? I think not. And on that topic why is the choice limited to what they have in the shop on that day? Is it so impossible to record the relative location of ears, pupils and nose, and cut lenses to suit a pair of frames out of a catalogue? I want glasses like <a href="http://eyesonfremont.blogspot.com/2009/05/optical-icons-part-1.html">Michael Douglas in Falling Down</a>: I need nerd authority, but yet again I've settled for some boring black metal frames that are barely willing to exist.
</p><p>How sad.</p>UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0tag:blogger.com,1999:blog-27338326.post-16995954482633511602009-10-23T22:54:00.001+00:002009-10-23T23:24:58.887+00:00Protect identity with a face blur: Fail<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-aSeaYc3IAU692jqH1NmzuPpqQv0ZQrxO57JnML2ZKH-Pksga3FDUw78cfr0a0LMcdeGj-lrXEvVZSNb7i9dfSkHarVqJaSUrglmkRG3AkggyvR7JDolzihSZJXtzE3BDILh/s1600-h/_46563746_rapecomp3_grab_226.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-aSeaYc3IAU692jqH1NmzuPpqQv0ZQrxO57JnML2ZKH-Pksga3FDUw78cfr0a0LMcdeGj-lrXEvVZSNb7i9dfSkHarVqJaSUrglmkRG3AkggyvR7JDolzihSZJXtzE3BDILh/s320/_46563746_rapecomp3_grab_226.jpg" /></a><br /></div>
<a href="http://news.bbc.co.uk/1/hi/wales/south_east/8311429.stm">This story</a> is so abominably sad that there's really no need to read it. All I want to do is note that in some cases, a face blur can still give important clues to identity.<br />UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com1tag:blogger.com,1999:blog-27338326.post-74945786677271725962009-10-17T23:51:00.005+00:002009-10-24T14:04:51.864+00:00LogparserRecently <a href="http://securitystories.blogspot.com/2009/10/fantasy-programming.html">I wrote about the enumerate command that I use</a>. I was looking at it just now because I wanted to enumerate one particular check across the whole domain: I wanted to report on the events that show a user being enrolled into local Administrators on their workstation -- and irregular admins generally.<br />
<br />
This is a big deal for me -- has been for a long time, it's a big deal for more and more sites, and it should be for everyone. Admin privilege is the difference between spyware installing in a profile (and even now, most of them don't attempt to do this) and installing dangerously and ineradicably as a rootkit. Admin privilege is what allows users to harm their builds with downloaded software or messing around with the branding or mapping. But alas, it's also the easy solution to a lot of problems and desktop team members -- admins themselves -- are often tempted to pass it on to a user in trouble so they can get on to the next call.<br />
<br />
The control for this is to find out when it happens and follow up very promptly, next day, with the admin concerned. But you need to know it's happened, and the only ways I know how to tell it's happened are a) a listing of the group membership on every machine -- which doesn't, crucially, tell you <b>when</b> it was done, or b) the 536 message in the event log. So it's the message we want, provided we can pick and decode the content out of the rather unhelpful format. To hold the desktop team to account, we want to look at the new messages each day, making a nice report of all the suspect events.<br />
<br />
We already have a tool -- enumerate -- which will run a command against every machine. So now we need a command that will append relevant log events on to a report. "But" I hear you cry, "but what about your RSA Envision log SELM appliance? Isn't that ideally suited to this task?" Well yes, my dears, it certainly is, but you see, it's licenced per event source. I have enough licences for all the infrastructure and about half of production servers, but none at all for workstations. We need something at a better price point, like free.<br />
<br />
Microsoft is a better source of free (as in beer) software than you might expect, and they have the tool for this job: Logparser; motto: "the world is your database." In outline, Logparser converts and presents logs of many sorts and some odder stuff like registry and filesystem contents as queryable lists. The queries can be simple or complex: I started with
<br />
<pre><big>SELECT
Strings
FROM
\\mypc\security
WHERE
EventID=536
</big></pre>
But you need to work a little harder to get a script parameterised enough to be enumerated across all domain members and produce a good outcome. The beauty of Logparser is that it's mature enough to deliver -- it really is a proper log analysis tool. I expected to write auxiliary scripts to break out the data, decode SIDs, accumulate the report as a CSV, and keep track of the last log read on each machine, but in fact all this can be done in Logparser script language or command line options.<br />
<pre><big>-- admin.sql
-- Logparser query.
-- Accumulate events where a user has been made a member of admins or power users
-- You might want to enumerate this across the entire domain
-- (omit domain controllers which have different messages)
-- Command would be like
-- logparser
-- -o:TSV -oSeparator:space -headers:OFF -fileMode:0
-- -iCheckPoint:MYPC.lpc
-- file:admin.sql?oFile=2009-10-18_AdminChanges+sMachine=MYPC
-- The checkpoint file is named for the machine, and output is appended to "today's" file.
SELECT
-- Generating "hand" CSV rather than the CSV output type -- more flexible to do it in SELECT and USING
-- the ms from the :ll aren't populated but it stops Excel dropping the seconds
TO_STRING(TimeGenerated, '\"yyyy-MM-dd hh:mm:ss:ll\",')AS Date,
strcat(ComputerName,',') AS Computer,
Resolve_SID (SID) AS Admin,
Action,
Resolve_SID (SIDUser) AS User,
Group
USING
-- Do the token parsing in USING: break the bits we want out of the -|%{SID}|... tokens in Strings
Extract_Token(Strings,1,'|') AS SUr, -- User SID
Extract_Token(Strings,2,'|') AS GroupN, -- (Localised for free -- more friendly)
Extract_Token(Strings,3,'|') AS GroupD,
Extract_Token(Strings,4,'|') AS SGp, -- the Group SID
SUBSTR(SUr,2,SUB(STRLEN(SUr), 3)) AS SIDUser, -- break raw User SID out of the %{SID}
CASE EventID WHEN 636 THEN 'enrolled' WHEN 637 THEN 'removed' END AS Action, -- Friendly EventIDs
-- Output like "into BUILTIN\Administrators"
STRCAT(
STRCAT(
CASE EventID WHEN 636 THEN 'into ' WHEN 637 THEN 'from ' END,
GroupD),
STRCAT( '\\', GroupN)) AS Group
INTO
-- Need the -fileMode:0 (append) on the command line to avoid overwriting with each machine.
-- For a log for each machine then the command line above would let you use %Machine% in the name.
%oFile%.csv
FROM
-- FROM the machine security log -- This is -i:EVT.
-- Don't use the SID resolve option because you may want to limit to particular built-in groups, but
-- and S-1-5-32-544 is easier than working out internationalised versions of "Administrators"
\\%sMachine%\Security
WHERE
((EventID=636) or (EventID=637)) and -- 636 enroll, 637 remove
(SID<>'S-1-5-18') and -- Ignore actions by local System
( -- Ignore boring groups
((SGp = '%{S-1-5-32-544}') or (SGp = '%{S-1-5-32-547}')) -- Only want Admins or P Users
-- Optionally don't report Domain admin (check your SID) being made admin, because it happens in every log!
-- and
-- (SIDUser <> 'S-1-5-21-4163168572-49618088-4072775208-512')
)
</big></pre>
<br>Remaining niggles are petty. some machines have corrupt SELs -- logparser fails at end of log, so it never writes a checkpoint so the entire file is processed every time. But this can be fixed by saving and emptying the offending log. And I suppose it would be nice if it enumerated the domain itself, but that doesn't trouble me.<br><br>
Apparently V3 is due out. I cannot wait.UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.com0