* Posts by RobinCM

36 posts • joined 15 Feb 2013

Cover your NASes: QNAP acknowledges mystery malware but there's no patch yet

RobinCM

Multiple problems?

As the person who's forum post is quoted in this latest Reg article, I think I might be suffering from a different, possibly older problem.

Several of the obfuscated .sh files I found were dated back in August. When the NAS was available on the internet. It stopped being directly visible around October, instead only allowing access via myqnapcloud.

Another interesting thing is that I wasnt running the latest firmware, but I'm pretty sure I would have checked it over the last few months via the admin web console. Along with this, the auto update check told me there was no new firmware available, when actually there was. I manually downloaded and updated the firmware the other day. Didn't fix the "wrong architecture" errors though.

Somebody from qnap support has apparently "delete[d] malware in the NAS QTS system" so I'll see later tonight if it's any healthier.

It is a few years old now but is apparently supported until some time in 2020. I just don't know if I trust it anymore. The whole point of having it was to get access to my stuff from anywhere with the minimum of hassle.

Windows 10 security question: How do miscreants use these for post-hack persistence?

RobinCM

NLA

Pretty sure that's on by default, and the machine will reject connections if the client doesn't support it or doesn't want to use it.

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

RobinCM

Drive firmware updates?

I wonder if there'll be any firmware updates released, and if these will be able to fix the issue without effectively junking all the data on the drive.

I also wonder what the performance hit is of software vs on-disk-hardware encryption. Newer CPUs have AES instructions built in so unless your processor is already running at 100% it presumably won't be too bad?

BitLocker documentation is here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdeosd

I imagine you'd have to decrypt then re-encrypt the drive after changing this setting, which would be somewhat time consuming.

It'll be interesting to see if/what guidance Microsoft produce on this topic.

Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia)

RobinCM

BIOS and other firmware updates are actually released fairly frequently, by decent manufacturers. Particularly BIOS since the spectre/meltdown thing kicked off.

My aging Dell laptop is up to BIOS version A21, which averages to a release every 4 months. The latest version was released in March, which is pretty impressive for a seven year old machine with no hardware support contract.

People actually bothering to install these updates happens much less frequently. Which is a shame because they often fix quite serious stability and data corruption issues, not to mention security.

Cybercrooks home in on infosec's weakest link – you poor gullible people

RobinCM

At the university I used to work for, the spam filtering used to outright delete around 80% of the messages arriving for the domain and only very rarely did we get somebody complain that an email they were expecting hadn't arrived. That was about four years ago.

Stress, bad workplace cultures are still driving security folk to drink

RobinCM

Re: IT is not a healthy profession

I worked in an increasingly toxic IT department for a long time, hoping it would get better. When it got worse, and after a few months off work with stress (which did help) I started looking for a new job. After about a year of looking - I didn't want to jump out of one terrible organisation and into another - I found the right job, still doing IT, but for a smaller and much nicer place, with an easier commute, better pay, and far more career prospects.

If you're not enjoying it, leave! I should have left my old job ten years before I actually did. Don't try and change a toxic organisation, and definitely don't stay there and work yourself into an early grave supporting managers who don't deserve it.

There's loads of IT and security jobs out there, just find the one that's right for you. Recruitment agencies can actually help with this. (If nothing else, getting the occasional phone call from them when they find your CV helps boost your self-belief and self-worth).

Put your CV on a few of the big recruitment sites, and see what happens!

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

RobinCM

1. Just because something is listening on localhost doesn't also mean it's listening on the machine's network IP address.

2. Most ISPs supply routers that have NAT firewalls enabled by default, so a machine listening on a private address behind one of those is unlikely to be accessible from the public IP address of the router.

3. If you're not banner grabbing how do you know what's actually listening?

4. I'm pretty sure ISPs do or used to do port scans of customer's public IP addresses, Virgin/Telewest definitely used to do that to me years ago. Does that still happen?

5. I'm slightly concerned that client side JavaScript could be scanning any local IP addresses on my internal network, and wonder what's the legitimate use for this functionality in a web browser? Seems like a drive by IoT disaster waiting to happen.

BlackBerry claims it can do to ransomware what Apple did to its phones

RobinCM

Only if it is run with an account that has sufficient privileges.

Who lets end users have admin rights these days? (Actually, plenty, sadly...)

Or doesn't remind users not to store their data on a network/cloud file server (where they definitely shouldn't have admin rights)?

Standard users can't remove VSS snapshots.

RobinCM

Crap

Rather like UEM then?

Been hoping that'll start working properly for two years now but new bugs keep on appearing. Current one is not being able to activate Android 7.1 devices. Oh, and another one is not being able to get app updates on some phones.

Plus it's Windows server software but for some reason they wrote it in Java, so it needs crazy amounts of RAM and is extra slow.

The features sound great on paper, and if they worked (as described, all of the time) it would be fine.

Very seriously considering ditching it.

New Zealand school on naughty step after ransomware failure

RobinCM

Windows has AppLocker (or Software Restriction Policies) but in my experience, few places bother turning it on.

Application whitelisting is just sensible, isn't it? Who wants any random code that they've not approved to run on their system?

I suspect it's not more widely used because of either ignorance (of its existence, or how to configure it properly) or laziness. Or because people think it's not necessary because how could they possibly be let down by all the extra security tech they spent £££££ on? "I don't need to close my doors and windows when I go out because I've got a burglar alarm"

RobinCM

Re: Surely...

Cloud storage (for users) tends not to use things like mapped drives, plus it tends to have file history features so even if your local files are encrypted and synced to the cloud, you can go back to a previous version.

No doubt somebody is working on a way to get around this though, but it'll be different for each cloud provider, assuming they have an API for accessing the type of features needed. Crypto malware has been trying to destroy local file history for years if it has sufficient privileges (i.e. user is logged on with an administrator account).

Shock Land Rover Discovery: Sellers could meddle with connected cars if not unbound

RobinCM

It's no different from any other tech

Yes it's a car, but how is this different to selling a phone, laptop, tablet, fridge or anything else with tech in it?

If I sell an Android phone, I need to make sure I remove my data and Google account from it before I sell it.

Ditto for any of the other items I mentioned. As a seller, I would want to do this, so I know my data has gone before the device leaves my ownership.

If I'm buying a second hand car I'm definitely going to be asking the retailer if any connected functionality has been correctly the reset and is ready for my use - before I buy the car.

Seems like the guy in the article failed to do that, and then got in a strop and blamed the vehicle manufacturer for his own lack of foresight.

If I bought a used iPhone and the previous owner hadn't wiped it properly, and I didn't check that before I bought it, how would that be Apple's problem?

Font of pwnage: Crims poison well with crypto-jacking code, trickles into PDF editor app

RobinCM

Re: "The whole exercise is a fine example of a supply chain attack"

Presumably the same thing could occur with the various package managers like apt or rpm? They seem to pull down a load of dependencies on the fly, so all somebody has to do is compromise some frequently used library package or whatever, and bingo.

We've also talked about dynamically linked JavaScript on websites, where the code is hosted elsewhere.

Seems like there are many opportunities for supply chain type problems to occur.

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

RobinCM

Re: SMB

You can help this situation by configuring a firewall on your file server to only allow connections from places you'd expect one to be inbound from.

You could also/alternatively use IPSec to limit what is able to connect to that sever.

RobinCM

Re: 2FA can be worse than just letting things be

You're clearly not going to like this, what with that hornet's nest in your collective bonnet, but that didn't sound unreasonable to me. Most places would have you use a 2fa code at every authentication. Once per 24hrs on non-school-owned devices seems fair enough. I'm kind of amazed that educational establishments still allow byod, what with the extra-sensitive nature of most of their PII.

Places of education tend to have terrible IT security, and this is exactly the type of reaction when anyone tightens it.

The other argument that gets used a lot to block security tech is "academic freedom".

Sadly, the rest of the world is slowly doing this shit, and you're no different. Even if you think you are. Sorry!

RobinCM

Re: No Lockouts? Really???

Exactly.

It'd be very easy to write a few lines of script that gets all the usernames from AD (readable by all users, and potentially even anonymously of you've not secured it) and then bang a password of "a" at each one until it locks, move on to the next and repeat.

Instant chaos. I'm amazed more people don't have this kind of problem with malware or when they get infected with remote access tools. Perhaps it's just one of those mass disasters waiting to happen...

RobinCM

The last thing I want is to have to cart around, keep charged, and generally take care of a second electronic device. Been there, done that, far too much hassle.

I'd be more than happy to use an app on my own phone as long as it doesn't drain the battery significantly, doesn't intrude when I'm not at work, and doesn't use noticeable amounts of data.

E.g. Google Authenticator. Or a text message. Or the Microsoft Authenticator app. I might be tempted by a Yubikey, but I can see that across a large organisation the rate of loss would be significant.

The beauty of allowing staff to use their own phones for MFA/OTP is that they tend to always have them with them, they're always charged, they know how to unlock them, and they tend to take a lot more care of them than a company device.

I'm speaking as somebody who tried a corporate phone and found it a massive pain, and as one of the people whove been managing the devices.

What is a shame is that Active Directory and Windows doesn't have some kind of MFA/OTP built in from years ago. I've yet to find a solution that I like the look of that works when the endpoint is offline and that is affordable.

Way back in the mid 90s I had skeys (one time passwords) for remote access to Solaris systems.

I doubt Microsoft will be changing their current plan of attack though, i.e. Windows Hello. Although they've got umpteen options for various other things these days, so maybe a simple pluggable authentication module to support a 6 digit code type of OTP will appear. Surely it can't be that difficult?

Friday FYI: 9 out of 10 of website login attempts? Yeah, that'll be hackers

RobinCM

Re: Another reason this is such a successful exploit

If the credential databases from multiple sites are stolen, they'll either include the email address in addition to the username, or people will use the same username on multiple sites.

It'll make some impact, but I don't think it's the kind of panacea that people make it out to be.

Plus, people forget them, leading to knock on issues with the site holder then having to have a "remind me what my sign in details are" feature, with all the score for abuse that brings with it.

Two factor, done right, all the way for me.

RobinCM

Re: password reuse

Other banks are available...

I believe that one of the top rated banks in the UK for customer service exists entirely online, not that I'm a customer, but perhaps you choose unwisely?

Brit tech forges alliance to improve cyber security as MPs moan over 'acute scarcity' of experts

RobinCM

Re: Why?

Exactly. And the certs are there too.

Tigerscheme's Qualified Security Team Member/Leader, Check Team Member/Leader, etc. Plus there are plenty of industry vendor certs from generic ones like CompTIA Security+ to more vendor specific stuff from e.g. Microsoft.

As has also already been mentioned, the problem is companies not actually coughing up to train people, then not employing enough of them, and not listening to them when they have employed them.

Schemes like Cyber Essentials Plus are helping make some companies comply with a basic security baseline, but it's not enforced across all companies yet, and it's scary how many applicants fail various bits of the testing. And those are the ones who are at least trying to be secure!

Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

RobinCM

some older environments may end up at risk where there is poor security practice  – e.g.

...if there are network connected, unsupported or unpatched operating systems running.

TSB meltdown latest: Facepalming reaches critical mass as Brits get strangers' bank letters

RobinCM

Perhaps

If TSB hadn't been forcibly split off from Lloyds then this wouldn't be an issue.

Any large scale data migration is going to have problems. These problems are exacerbated due to money being involved. Hands up if you've done a data migration of this scale and had zero issues?

I feel rather sorry for TSB in some respects. Forced into existence, they hire a supposedly expert firm to manage their systems and data migration only to have it blow up in their face. So they're paying through the nose for IBM, and now they're having to deal with frauds, fines and legal nonsense too. And try and provide some kind of valuable service to customers.

Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup!

RobinCM

Re: Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself.

You don't get multi-factor authentication on old protocols like IMAP. Which to their credit, Yahoo have been strongly encouraging their users to turn off if they don't need it. Given that 99.99% of people just use a browser this is the right approach.

I used to use IMAP years ago (via a telnet client sometimes, ha!) but MFA is too useful a security measure.

Still not on Windows 10? Fine, sighs Microsoft, here are its antivirus tools for Windows 7, 8.1

RobinCM

E5 only

I'm pretty sure you can only get ATP if you have a Windows Enterprise E5 license. Which is a shame as that's not available to places with under a certain number of licences, or it's extremely expensive compared to E3.

ATP looks rather good, I have no idea why it's not being made more accessible to smaller businesses.

Acronis: Ransomware protection! Get yer free ransomware protection!

RobinCM

Veeam support head Gostev posted a month ago about a company that was hit with Cryptomix Arena, which encrypted all their file servers and VMs, called home, and then human beings manually deleted all their Veeam backups via Veeam itself including both local NAS copies and those in the cloud, then deleted the Veeam VM. The customer managed to recover some data thanks to storage snapshots, but I think I'd prefer some offline backups for peace of mind!

Wanna motivate staff to be more secure? Don't bother bribing 'em

RobinCM

Re: Dont' name and shame persistent offenders

Your ask yourself if you want to continue working there.

And/or talk to their boss and explain the situation, and then re-ask yourself if you want to continue working there.

You'll find your motivation for your job probably either decreased significantly, or, ideally, increased significantly.

Russia claims it repelled home-grown drone swarm in Syria

RobinCM

Flashy drones

https://eandt.theiet.org/content/articles/2018/01/intel-demonstrates-coordinated-250-drone-lightshow-as-a-fireworks-alternative/

All the flash but without the bang.

Tenable's response to folks upset at AWOL features: A 150-emails-a-minute spam storm

RobinCM

Re: Someone has shot themselves in the foot

So what else is out there? Aside from OpenVAS, which I've heard of but not used.

Somebody commented by saying that there are loads of alternatives, but conveniently mentioned precisely none of them.

Don't care if it's paid or free, but it needs to be good and to "just work".

Thank you!

Intel Management Engine pwned by buffer overflow

RobinCM

Please explain

How is Google's plan of using Linux instead of Minix any better? Am I missing something?

Want to get around app whitelists by pretending to be Microsoft? Of course you can...

RobinCM

AppLocker

A different type of whitelisting, but works well enough to stop people (non-admins) running stuff you've not approved.

Except it now doesn't block PowerShell, and worse, lies and tells you it has in the event log. Disappointing.

Everybody without Android Oreo vulnerable to overlay attack

RobinCM

Nokia

Are advertising their Android phones in part by stating their "pure Android" nature and that they'll get regular security updates. Specs aren't bad either, my partner bought a Nokia 8 yesterday and it's rather nice - considering getting one myself.

My HTC One M9 is still on 7.0 April 2017 security update.

It'll be interesting to see how many other manufacturers start to jump on the "pure & secure" (tm) bandwagon.

Tech firms take down WireX Android botnet

RobinCM

Patched?

"the attack vector has been patched by Google"

... but that patch will not ever be deployed to 99% of devices.

They really need to sort out the update mechanism for the OS itself. We all know most manufacturers/carriers don't send them out.

Inside the ongoing fight to stamp out govt-grade Android spyware

RobinCM

Re: "to target older versions of Android that are no longer being patched "

If companies slowed down a little on developing and releasing new hardware (often that is not really significantly different from the previous version, or other products in their range) they might be able to a) spend more time testing and deploying security updates, and b) stop needlessly polluting the planet by manufacturing the pointless multiple new hardware revisions.

Knowing what most people are like, they get attached to their stuff and don't want the hassle of choosing and migrating to a new device every few years. I wish I could bung HTC a few quid every year to get access to security updates for my phone. But instead I have to throw it out and buy a new one every few years.

A few software devs have got to be cheaper than the vast amounts they must currently spend designing testing and building new hardware every few months.

That model would take some selling at present, but sometime soon the collective security awareness of the world will demand it. Surely?

If not, legislation will be needed.

Yeah, WannaCry hit Windows, but what about the WannaCry of apps?

RobinCM

Control freak

I would much rather be the cause of outages and problems with my own systems through applying updates, than not apply updates and have some malware/hacker get into them and mess them up.

I know which updates I've tested and applied, and when I did it. Who knows what the malware/hacker has done, or how long they've been there doing it for.

The risk of not updating outweighs the risk of updating.

Reg readers speak out on Thin Client technology

RobinCM

Lync 2013 - does not support Remote Desktop Session Host.

https://technet.microsoft.com/en-gb/library/jj204982.aspx

Oops!

Shame, because in Server 2012, RDSH performance and functioanality is great, and Lync 2013/Skype for Business is also great. But not if you want to use them both together.

Might be some other relevant stuff in here for some people: https://rcmtech.wordpress.com/2014/09/11/why-im-not-deploying-windows-desktops-using-remote-desktop-services/

Inside Microsoft's Surface Pro: A fiendishly difficult journey

RobinCM

Re: @Mark

HP do still have Maintenance and Service Guides available as PDFs, I used one to help me upgrade a Folio 13-2000 laptop last year, was very detailed and easy to find via Google.

Biting the hand that feeds IT © 1998–2019