Random Acts of Technology

23
Mar
2020

Information Security in the Age of COVID-19

The Hacker News is running several interesting articles related to information security and COVID-19 as they relate to emerging threats. Specifically, the threats that a newly mobilized remote workforce faces when many of them have little on detecting threats outside of their normal work environment. While the article referenced specifically touts Cynet’s service offering, the guidance offered is applicable across the board.

Take for example, all of your new remote workers who are receiving all or some of their direction via personal communication channels whether they be phone, SMS, or email. How many of these staff are capable of discerning phishing messages on their personal devices? It is one thing when they have a corporate suite of products assisting them to make these judgement calls, but when they don’t have those can they still be trusted to determine who the bad actors are? In all likelihood the answer is going to be that remote workers are going to be less capable of protecting themselves without new training programs and time to become acclimated to their new reality. COVID-19, however, has made it so there is no time to do so in the face of mandates to have 100% of your workforce out of the office. Introducing new training for these workers about how to protect themselves in this chaotic time is going to be crucial not only for them but also for the well being of the organization as a whole. In addition to training, all information security teams should be looking at how to best to detect unauthorized data loss as well as unauthorized access into corporate networks. It also goes without saying that any remote access solutions should also be protected by two-factor authentication.

Be well, be safe, and secure your networks.

23
Jan
2020

Microsoft Exposes Elasticsearch Database to the World

Security Week reports that Microsoft has suffered a mishap with a handful of its Elasticsearch databases causing approximately 250 million customer support records to be exposed. While financial information for these clients was not exposed, it does appear that the data could be used for phishing attacks and tech support scams.

Of course the kicker is that Microsoft runs one of the largest cloud services on earth where users must take great pains to secure these systems that they setup. Now it turns out the company running these types of services can’t secure their own systems. While I know that these Elasticsearch databases were not really part of the Azure cloud service, it does beg the question that if Microsoft can’t secure their own systems, how can their clients ever hope to completely secure their own systems in the Azure cloud. If nothing else, this should serve as a reminder that no company, person, organization, etc. is immune to security lapses and great care should always be taken to secure both internal and cloud systems.

03
Dec
2019

VNC Client and Server Software Vulnerabilities Found

The Hacker News reports that dozens of new VNC client and server vulnerabilities have been found in the open source versions of the tools used by IT departments all over the world. If you are like me and think “VNC, who uses that any more?” then you should go check out a YouTube video by Tobias Mädel where he connects to open VNC servers all over the internet. Sure, the video is from 2015, but when you think about how quickly industrial plant management software and device firmware is updated you can bet money that there are still plenty of open VNC servers still running and accessible.

The moral of the story? Don’t expose critical systems and services (like RDP and VNC) over the internet unless it is absolutely essential. If it is essential, and you can’t put them behind a VPN, then you had better use a very strong and complex password to secure the access. Even with a VPN you should do that. Lastly, you need to makes sure you and any vendor you are purchasing software and devices from have a strong policy of pushing out updates anytime a vulnerability is found. You can’t afford to wait five years for an update when your chemical plan control system is left completely exposed on the internet through remote access software flaws.

18
Nov
2019

Minecraft Hour of Code 2019: For Everyone but Chromebook Users

Microsoft made an interesting decision this year to not support the hour of code event on Chromebooks. While sure, that seems like a non-event, most people don’t use Chromebooks… except for schools and students. As a parent of a student in a district that uses Chromebooks for their classroom work, this is disappointing to say the least. The whole point of the hour of code event is to get kids involved in coding and to learn. To do that the event has to be inclusive and support the platforms that students have access to. Chromebooks are incredibly common in education where schools need to provide a computing platform that is easy to manage and relatively inexpensive. To exclude a platform such as this is to make the hour of code an event exclusive to those who can afford more expensive platforms which violates the entire principle of the event.

You can be better than this Microsoft, time to make the hour of code accessible to all kids.

17
Nov
2019

Surprise! John Legere Won’t Be WeWork CEO

Engadget is reporting that John Legere, while once a possibility floated as the next WeWork CEO, is no longer in the running. Sure the convenient excuse for this is that Softbank is the majority owner in both WeWork and Sprint which T-Mobile is merging with so there is a conflict of interest. I get it, and it is a completely reasonable explanation for why Mr. Legere will not be the next WeWork CEO.

However, I would speculate that he also wants nothing to do with the dumpster fire that is WeWork currently. He would go from the savior of T-Mobile to the CEO of a company that is despised and mired in turmoil. I don’t care how much of a turnaround CEO you are, willfully walking into a company like WeWork right now is not the note you want your career to go out on. Much better to be the person who successfully merges and T-Mobile and Sprint than to be the one that goes down on the WeWork ship.

13
Nov
2019

The End is Nigh! Time to Ditch Windows 7 Now

ITWorld has a very interesting long running series of articles chronicling the slow but steady demise of Windows 7 and the slow but stead rise of Windows 10 in terms of market share. Come January 14th 2020, Windows 7 support will officially end (unless you want to keep paying Microsoft for security updates on a per PC basis) and you will no longer get all of those critical updates needed to keep your organization secure.

What amazes me about the whole process is the prediction by Net Applications that Windows 7 may retain 10+ percent market share well into 2022, long after support has ended and almost every known flaw will be easily exploitable. Don’t get me wrong, I know first hand how painful it can be to update and replace thousands of physical PCs to get rid of an old OS but as hard as that may be, it is well worth it. In my own experience, the reduction in vulnerabilities just from going to a fully patched version of Windows 7 to a fully patched version of Windows 10 will make a world of difference on your audit scorecards.

Please do you and your organization a favor and move to Windows 10 now. You will be happy you did and it will allow you to sleep better at night.

12
Nov
2019

Robotic Process Automation Goes Open Source

If you have had your eyes and ears open at all for the past year or so, you know the new hotness is Robotic Process Automation (RPA) in enterprise IT. Basically that is a really fancy name for a system that mimics a user’s actions on another system so that a person doesn’t have to do it. Truth be told, there have been scheduling and automation platforms around for a long time that have done a lot of what modern RPA solutions are doing. The biggest difference is that the focus is now more about interacting with a GUI versus just focusing on what could already be done through scripting like moving files around.

This week Robocorp and the Robot Framework have been starting to make a splash within the industry as the first organizations looking to take the RPA movement into the open source space and make it more accessible to organizations that don’t want to buy into a major commercial platform or that want to do something more custom with their current tool set.

As a user of commercial RPA technologies currently, the idea of an open source framework and a company looking to make that more accessible to the masses is very exciting. The cost of current RPA solutions is a significant barrier to entry for many smaller organizations and Robocorp has the chance to increase the user base for RPA significantly by making it more cost effective for these smaller organizations. Just knowing that this is coming in the future makes me want to spin up a virtual machine with the Robot Framework running to start playing around. Then when Robocorp has a product ready, I can be primed to pick up and start using their solution.

After all, as their site says:

If you can document it, you can automate it. Never send a human to do a machine’s job.

https://careers.robocorp.com/

That is music to my programming ears 🙂

11
Nov
2019

Python Overtakes Java

InfoWorld has an article about the Python programming language overtaking Java in terms of popularity on GitHub. 15 years ago I was taking computer science classes primarily focused on Java development and now Java, what was touted as the programming language to end all languages for cross platform application development, has been eclipsed. I’m not particularly sad to see it get knocked down a notch. Java has always been notoriously buggy and full of vulnerabilities. It has been the bane of IT managers worldwide since its inception, causing audit findings because older versions are required to run certain applications, because there are new zero day vulnerabilities, and because vendors’ Java coding practices have been less than optimal. Throw Tomcat into the mix and you have the recipe to be the next Equifax.

Vulnerabilities aside, the news about Java being overtaken in popularity is a reminder to programmers everywhere that they must keep their skills current and not be afraid to learn new things. Yes, I know COBOL and Fortran are still around, but do you really want to be the last dinosaur standing or would you rather be able to evolve and avoid extinction? I would suggest the latter.

11
Nov
2019

Your People Are Your Biggest Threat

The Hacker News has an article posted from November 7th about a rogue TrendMicro employee stealing customer data and selling it to a tech support scammer. This goes to show, once again, that your people are always your biggest threat. Whether they are clicking on malicious links in from that prince who sent them an email or actively stealing data to sell on the black market, they are likely going to do something to cause you serious pain. Many companies don’t know how to combat these threats or are completely oblivious to what their people may be doing. Here are some ideas to help protect your organization:

  1. Invest in training – Train, train, train, and then train your staff again to be vigilant and know how to recognize a malicious email, phone call, or text message before they divulge any information. If they fall for one, deliver on-the-spot training to help them learn from their mistake.
  2. Invest in more than your average anti-virus software – Advanced Persistent Threats (APTs) are the buzzword of the decade. While you don’t need to listen to all the marketing hype, you should have a host based security solution on your PCs and servers that does more than just look for known signatures. It needs to identify unknown threats as well as known threats, block ransomware, stop data being transferred to removable storage, and more.
  3. Adopt a policy of least privilege – Does that receptionist really need local administrative privileges on their PC? Does that staff trainer really need access to the marketing database? I don’t think so. If people don’t need access to data, make sure they can’t get to it.
  4. Classify your data – What is in that random word document on the accounting shared drive? Is it something that shouldn’t leave the building? If it is, make sure you are tagging the document and putting restrictions in place on your firewalls to stop it from leaving. Do this for all of your data and put rules in place to protect it where it is stored.
  5. Invest in Data Loss Prevention (DLP) tools – Make sure data isn’t leaving your organization. Have tools that can observe data movement, alert, and stop it from happening if needed.
  6. Protect your data from and in the Cloud – Invest in Cloud Access Security Brokers (CASBs) if you allow your staff to store data and work in the cloud. You don’t want data stored improperly in services like Slack, Office 365, Dropbox, Gmail, or somewhere else.

There are many other things you could do as well, but I would argue if you have these tools in place and configured properly, you just might avoid ending up like TrendMicro.

10
Nov
2019

The Best Defense is a Good Offense

Krebs on Security has an article published on October 16th from this year (I know I am behind) detailing the attack of a known black market card fraud site BriansClub. What is interesting about this whole hack is that it is not some vigilante group going after the site to save consumers, but rather it is a rival black market operation trying to sabotage the operations of one of their competitors. In essence, this was a business decision made by one of BriansClub’s competitors to try and take them out of business. It’s similar two warring cartels attacking each other until the other doesn’t have the resources or the people to continue operations.

This does beg the question though, why not make offensive operations against these kinds of sites the norm, not the outlier? In the financial services industry we have a number of cybersecurity information sharing organizations, maybe it is time to establish an offensive cyber operations organization that doesn’t just share information about known threats but actively seeks them out and attempts to disrupt illegal operations. Of course there are potential pitfalls with this type of setup. The efforts of this type of group would have to be carefully watched by both the industry and law enforcement to ensure the operations were focused solely against illegal operations in the dark web. The last thing you would want would be to have a group that was supposed to protect consumers decide to go rogue.

Risks aside, it seems like it is time to open up and publicly establish more direct industry operations against these criminal elements. Sharing information will never prevent fraud, these sites have to be shown it isn’t worth operating because they will be taken down before they can ever make any money.