I started a new position this year and have many challenges to overcome. There are a lot of things that have been neglected and many changes to be made. One of the changes I was looking at implementing is enabling Windows Firewall locally. I started on a few new servers that I was rolling out and the regional IT staff that support some of our internal systems started to disable these firewalls. When I brought this up they thought I was nuts. Just wait until I start restricting services by IP.
Fast Forward to today and the “Morto” internet worm is spreading via RDP. We don’t have any RDP hosts local that are open to the dangerous world we know as the internet but I can’t vouch for the other dozen sites that are connected at the other end of our MPLS. Now, most of our PC’s don’t have RDP enabled, but PC’s used by management and more importantly the majority of our servers may be susceptible if one PC out of thousands are infected.
I realize more security means more administrative overhead and makes admin jobs harder, but what happens when something like this hits and all of these machines are infected? how much work is that going to take to remedy?
So, what are your thoughts? How far do you go to keep your infrastructure safe?
Unless you have been hiding under a rock you have heard about Sony’s PSN getting hacked. Apparently I was hiding under a rock yesterday as LastPass, a cloud password storage company, also had a possible security breach and I didn’t hear about it until about late yesterday evening.
I am not going to act tough, although at first I freaked out a little bit. Immediately rushing to conclusions, imagining all the passwords I would need to manually go through and change. Fortunately after reading their blog post and Last Pass CEO’s interview with PC World I felt a little more at ease. I used a strong master password so I should be OK. I am very impressed at how they handled the situation and how open they were from the beginning. I think I will be keeping the majority of my passwords with them.
It seems like every other day there is another company sending out emails notifying their customers that their personal information may have been compromised. All of this has gotten me to think, with the growing number of companies learning everything it possibly can (looking at you Facebook and Google) is any information we give out on the computer really safe? Do these cyber crimes continue to rise because the consumer is more at ease to post their private lives and information on the net?
Google has now set the bar a little higher for Internet account security. Now the super-paranoid (like yours truly) can further secure their Gmail through the use of Google’s new two factor authentication system.
While not as cool as as using YubiKey for LastPass you can now use your phone to generate a one time password to gain access to your Google account. As I’ve covered before, you shouldn’t be using the same password for multiple online accounts, but you really shouldn’t be using your main email password for anything else, as it is the go-to place for account recovery. But even if you are, this additional layer of security will make compromising your account nearly impossible. (more…)
If the recent Gawker password breach (re)taught us anything, it’s the old and valued lesson of “don’t use the same password everywhere” — but as often as I repeat that phrase and cringe a little bit when I find out someone else did it, I’ve been just as guilty of this cardinal sin of network security myself… from time to time. It’s hard not to.
When you’re as active on the Internet as I am, it’s impossible to resist the urge to duplicate passwords, especially if you’re against writing them down. So you’re left to memorize them all, hope you don’t forget, and hope that you can later rely on the splendid password reset via email later on.
All of the Gawker fun also taught (or should have taught) website administrators like myself to take better care of their users. Gawker fouled up in a huge way (beyond simply exposing user data) by not taking proper steps to secure the information in their database once it was exposed. Gawker used an easily crackable cipher system (DES) which was depreciated by a new industry standard (AES) long ago.
You know you’re probably doing something right when three of your biggest competitors start acting like the world has come to an end. In this case, it’s Microsoft versus the anti-virus world.
While we like to stress the importance of anti-virus products on all platforms, they’re sort of like insurance companies. Their products are usually expensive and bloated, and when you really need them most of the time they’re not that effective. Microsoft’s Security Essentials product is arguably one of the best anti-virus products on the market, and it’s free, and it’s got traditional vendors like Symantec, McAfee and Trend Micro scared. Even more so now that Microsoft has begun distributing the software to users directly through it’s Microsoft Update service.
So the US Department of the Interior decides that it wants a new email system, and after consideration decides it wants to use Microsoft’s hosted Exchange platform.
Pretty straight forward, right?
Well, until Google decides that the DOI should have used Google Apps instead, and goes to sue the government for wanting to use Microsoft’s products. Nevermind the fact that Google doesn’t even have a GSA contract and cannot actually sell products to the federal government without one.
Google’s case makes it sound like they’re trying to protect the government from disaster by going with Microsoft’s product, providing a filing full of reasons why their platform is superior and Microsoft’s is run by idiots. Nevermind the fact that Google Apps has had it’s fair share of issues in the last few months (even in the last week) and that they’re constantly adding/changing/removing features that would probably not be welcome in a government setting.
I have seen many different viruses pose to be a security suite on a users machine, requesting them to put in their credit card info and preventing them from surfing the Internet until they do. This practice is not new, but I think this is the first time I have seen a virus mimic a current security software to instate some credibility into their scam.
At the Windows Team Blog Eric Foster is reporting about a trojan that takes a page from these other well known scams and puts it’s own twist on it. It actually mimics Microsoft’s free AV Solution, Microsoft Security Essentials except it prompts the user to install other security software and requests a credit card number.
Has Microsoft reached general acceptance of their security suite, enough for malware writers to start exploiting the name and the design? Should companies like McAfee be worried? I think so.
I’m not sure I would have paid $29 for a copy of McAfee, but Intel decided it was wise to go all in and spend almost $8 billion to acquire them.
Of all the security companies out there Intel had their choice of, they picked one of the most bloated and ineffective scanning engines, and the one that has one the worst track record when it comes to false positives that eat your computer alive.
I can say that having spent almost 4 years managing their corporate suite, and having their software updates crash my systems (I eventually dumped their software for Microsoft Forefront) and rebuild my configuration multiple times, I’m not looking forward to them integrating their technologies on Intel chips.
(McAfee Press Release)
The number of businesses still using Internet Explorer 6 is painful to see. Coupled with the fact that all of them are on Windows XP or Windows 2000, it turns from pain into terror, especially when it comes to security.
For a lot of system administrators, the reasons to stay outweigh the reasons to upgrade. Websites that break, plugins that won’t load, old software that isn’t updated anymore. Trust me, I’ve been there. However, a lot of it boils down to lazy and poor practices of system administration.
Yes, you’re lazy and you’re bad at your job. Internet Explorer 6 was released in 2001. Yes, 2001, most of us don’t even drive cars that old, let alone unleash people on the “information superhighway” with a browser that old. It was designed at a time when security was not the issue it is today. It was designed to work on operating systems like Windows 98 and Windows ME. Would you let people use Windows ME on your network? No! So why are you letting them use a browser that was built for it?! (more…)
This patch Tuesday will be one of the lightest ones for security in recent memory. According to the Security Bulletin Advance Notification for this month, Microsoft will only be releasing one patch for Windows, and none for Internet Explorer or Office. The patch will be issued on Tuesday, January 12, and will be followed on January 13 by a 90 minute webcast at 11:00 AM Pacific. In addition to the one patch for Windows, Microsoft will also release an updated version of the Malicious Software Removal Tool.
The patch is considered critical for Windows 2000 users, and low for all other versions, and relates to a remote code execution venerability. Effected operating system versions include every currently supported edition both on the client and server side:
- Windows 2000 Service Pack 4 [Critical]
- Windows XP Service Pack 2 & Service Pack 3
- Windows XP x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2 (32-bit, 64-bit & Itanium)
- Windows Vista Service Pack 1 & Service Pack 2 (32-bit & 64-bit)
- Windows Server 2008 Service Pack 2 (32-bit, 64-bit & Itanium – except Server Core installs)
- Windows 7 (32-bit & 64-bit)
- Windows Server 2008 R2 (64-bit & Itanium – except Server Core installs)
Microsoft will still be releasing one or more non-security but high-priority update through Windows Update and Windows Server Update Services, but has not yet disclosed details.