* Posts by Amos1

193 posts • joined 9 Feb 2014


Wells Fargo? Well fscked at the moment: Data center up in smoke, bank website, app down


Re: The BOFH Strikes Again

We had an entire data center "go quiet" once for a semi-related reason. The EPO button (emergency power off or Big Red Button) can be wired one of two ways, normally closed or normally open.

Normally closed is similar to a light switch that is always on and flipping the switch kills the power. That's how this one was wired. Even though everything had preventive maintenance twice a year, "everything" did not include that 20 year-old push button and its wiring screws slowly loosened up.

Then one day someone came into the data center and when the door closed behind them, the door next to the Big Red Button, it got very quiet.

The electricians said someone had pushed the button and the person who walked in was worried he was going to lose his job, But the security cameras showed he was nowhere near it.

The EPO button is now wired as normally open...

If you wanna learn from the IT security blunders committed by hacked hospital group, here's some weekend reading


Re: show me the money

The opposite of security is not insecurity. The opposite of security is overly convenient.

The issues described in this article probably apply to 99.9999% of all IT systems operators in the world.

When I do interviews of prospective vendors I always ask the question "Do you have staff dedicated 100% to operational security (not including compliance) or is security everyone's responsibility?"

The competent ones answer "Both."

The dumb ones enthusiastically respond "No. Security is everyone's responsibility!"

When something is everyone's responsibility it's no one's responsibility.

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)


Give Adobe a break

After all, they had to push out yet another Acrobat and Reader emergency patch a few days ago.

Oh wait, they did push a Flash patch today: https://helpx.adobe.com/security/products/flash-player/apsb19-01.html

Jeep hacking lawsuit shifts into gear for trial after US Supremes refuse to hit the brakes


Re: So...

If I recall, a vendor left access open from the Internet in general to a system that was never supposed to be exposed to the Internet and they figured it out. I've certainly never heard of that being a problem before (vendor screw-up, no monitoring, ports left open) (rolls eyes).

Supernovae may explain mass extinctions of marine animals 2.6 million years ago


This 2006 book on the same subject is a fascinating read


It's still one I enjoy re-reading because of the way they wove the story. They tied physical evidence on earth to other evidence of a supernova causing an extinction-level event.

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage


Re: Offsite scripts GAH!

"...if its an even vaguely secure area no script that you have not copied locally and validated does what you think it does goes in, is this so hard to understand."

I'm not understanding how that matters. If the script links in external references the script can be benign when tested but not necessarily in the future.

Still relevant after all these years: Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.

I'm waiting for the Google Analytics site to get whacked, if just by a resource-consuming coding error.

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory


Re: Too much power

"I got to a human who said that if I'm NOT in the equifax or experian databases, they cannot prove I exist! (I am in the OPM as I had a security clearance, or I should be, anyway -..."

You could probably ask the Chinese government for an affidavit of your existence since they allegedly owned both Equifax and OPM.

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS


Re: It's time to start over

Let's not forget GUI's that let the unskilled call themselves "developers" and "admins" because they can drive a mouse. Or the proliferation of open-source code dropped into apps without nary a clue what is really going on inside those black boxes. Write once, hack many; the joy of code re-use.

Microsoft sysadmin hired for fake NetWare skills keeps job despite twitchy trigger finger


Re: Nothing beats them

Hmm, I've never referred to "coworkers" as "equipment" before but sure, that works.

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers


Re: Microsoft TMG and TLS support

TMG effectively went EOL years ago. If your company is still using it they are not interested in securing their data.

Solid password practice on Capital One's site? Don't bank on it


Working for a bank, I can assure you that is almost impossible. Why? Because pretty much every company makes all accounts available from the Internet by default. So if you don't use it someone else just might.

You also should set transaction alerts for the smallest allowable amount, usually $1 or $5 because you should always know when one of your accounts is used.

You can request that Internet access be disabled one account at a time but I've seen many an upgrade enable them without warning.

Back up a minute: Veeam database config snafu exposed millions of customer records


Re: Are they..

Anybody want to wager on whether the security people at British Airways suddenly lost interest in their work when they learned BA was talking to IBM about taking everything over? Particularly with IBM's reputation for massive layoffs?

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS


With proper change control processes it could not go live so the developers would not take the hit.

Just go DevOps and automate that upcoming breach.


Clearly the Marketing department does not run your company as it does in many if not most.

That or they are running websites that you don't even know exist. Having the IT Security function exclusively manage public DNS made us aware of a few end-run attempts like that.

Cock-ups, rather than conspiracies, top self-reported data breaches


We looked at a year's worth of outbound emails for the number of recipients. For business-related emails the max number of recipients was 7 so we set a limit of 10 maximum recipients per email. Others to church memberships, soccer leagues, baseball leagues and the like had dozens to hundreds. Those can't get sent using company email systems any more. All advertising, customer communications, etc. must go through a third-party mass-spammer and those are triple-inspected for format and content so there will be multiple, documented people to blame.

Event management kit can take a hammering these days: Use it well and it'll save your ass


Every time an auditor asks us how we monitor for after-hours activity I ask why that is important. I point out that the Target (department store) malware turned itself on at 9 AM and off at 5 PM so its activity could hide in the noise of the daily operations. I point out that people simply walk away from their computers at the end of the day rather than shutting them down as policy says because they're lazy and their managers don't care so we'll always have after-hours activity.

I point out that monitoring for failed logins is far less valuable than monitoring for successful logins because, well, a failed login has no access to data. I mention that what the audit department needs to get HR to inform IT Security of people's vacation and out-of-the-office hours during the workday so we can monitor for use of their accounts while they're not physically present.

The auditor will stare blankly at me and say that their procedure says we have to be checking for after-hours activity. I reply that people never logoff and leave the applications running so we have a lot. They are happy that we're monitoring and the item gets its check mark. Audit Passed.

DXC Technology asks field-based techies if they'd like to leave


Someone needs to better optimize and align their keyboard

"... better align and optimise in order to support our client base ob these digital journeys."

Yes, "b" and "n" are next to each other, at least on my keyboard.

Don't know if it's El Reg or DXC, though.

Oracle: Run, don't walk, to patch this critical Database takeover bug


Re: What?

Are you certain you have to be logged in? I've never seen a CVSS 9.9 that required authentication. Usually if it's above 7 or 8 then it's unauthenticated. I think by default that all users are granted CREATE SESSION. Also remember that Oracle has a long history of down-rating their vulnerabilities but man, there isn't much difference from the max of 10.0 and 9.9

I wonder if a web app could be used to exploit this unauthenticated. Web user hits login page, service account hits database, kind of thing.

OT, does anybody know why the maximum rating is 10.0 when it's impossible to have a 10.1? Seems silly.

Sysadmin sank IBM mainframe by going one VM too deep



Northgate Computer systems had the best keyboard I ever used. It was my first PC, a 386 with 1 MB of RAM and two, count them, TWO 65 MB RLL hard drives. It only cost me $3,495. I later upgraded it to 4 MB of RAM by replacing around thirty-two discrete integrated circuits so I could run DesqVIEW. I used that keyboard for years.


"Incidentally, since we call it a hash in the UK, but the Americans call it a pound and the social media companies are US based, why don't they call it a poundtag ?"

I was wondering why it's not called a dollartag in the U.K.

Similar to how we drive on the parkway and park on the driveway.

Timehop admits to more data leakage, details GDPR danger


Re: "by the time incident response processes kicked in"

I suspect you're assuming the stable door is in fact closed. Or closed but perhaps not locked. Deficient information protection practices are pervasive in companies.

Open plan offices flop – you talk less, IM more, if forced to flee a cubicle


Re: What about disturbing others?

Just a "foghorn leghorn"? Another lovely aspect of the open office plan is the male or female who slathers on so much cologne or perfume that I can't breathe even though they are several rows away. My manager is one of those.

Security guard cost bank millions by hitting emergency Off button


Is your EPO button NC or NO?

Emergency Power Off, Normally Closed, and Normally Open.

At the company where I worked (in the last two years) the data center once went Very Quiet (tm) and it took a while to figure out. The EPO button was properly behind a plastic guard and no one was within five feet of it when things went Very Quiet. It developed that the EPO button was a normally-closed button (think of a light switch where the light is always on). A break in the circuit would cause the EPO to engage.

Yeah, in decades of preventative maintenance no one had ever removed the Big Red Button from the wall to check to assure its terminals were still tight. Years of people walking past and slight vibrations had loosened the terminals so that the next vibration momentarily broke the circuit and down everything went.

The electricians said they had seen the Big Red Button wired both as NC or NO and it was our choice. We had it rewired as NO so you had to push the button to engage the emergency power off function.

'No questions asked' Windows code cert slingers 'fuel trade' in digitally signed malware


"Look at HTTPS compared to SSH. With SSH, no signed certificate is required. The first time you log onto a server you get a signature in your "authorized" store and if it subsequently changes, you know something odd (not necessarily nefarious) is going on and you can inquire."

When people visit hundreds of websites every day that method is completely unworkable, especially since much content comes from third-party sites and you never see their URLs in the browser. If the usual method to communicate a validity string, such as a SHA file hash, is to put it on the web page where a hacker could modify the binary and the hash value to match, it's of no value security-wise. It just assures you downloaded the backdoored malware intact. If you even bother to check the hash or SSH fingerprint.

And with the push to reduce the certificate validity period from two ears to one year or worse it's completely untenable. It only works for SSH because the certs never change, a risk in itself.

Windows Server 2008 SP2 gets new support model


Does support end on Jan. 1, 2020 or Jan. 14, 2020?

The article says the 1st but I know of more than a few companies that are figuring the date to be Feb, 11, 2020. That's the date of the first Patch Tuesday where there are no more free patches for Windows 7 or Server 2008.

If you want to strike the Fear of <insert deity> into someone, go to www.timeanddate.com, click on Date-to-Date Calculator, click on the "Count only workdays" link and then fill in the fields. (The link calculates US holidays; I do not know if it works in other countries).

As of today there are 397 workdays left to convert every one of your Windows 7 and Sever 2008 systems AND their applications to a newer version, a few more if you don't get all of the holidays. Presuming of course that your company cares about such things.

580 days if you work in a sweatshop.


Re: Rollups suck...

Oh, you mean like March 2018 where we could not deploy the sole patch because of how it massively screwed things up so we were pushed out of our "all critical patches within 30 days of release" compliance requirement?

Microsoft reveals which Windows bugs it might decide not to fix


Re: Pay more, get less

"If somebody has physical access to the machine, they probably don't need the exploit anyway."

The reality of malware is that there is almost nothing nowadays that requires true "physical access" and in the age of virtual machines it's even more true. As MS themselves once noted, if the bad guy can get you to run their program on your computer it's not your computer anymore.

"For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody ...",

Not correct, not only because of malware (including JavaScript coming from hacked legit websites) but because one of the beauties of computers is that once someone has figured out how to do something evil, it's almost always trivial for the rest of the world to then do it.

Men are officially the worst… top-level domain


Throw in others and...

you'll have what companies are also seeing. Start with .stream and .pw

Some large companies are simply blocking all 1,000+ and allowing exceptions as needed. The new stuff is as big a cesspool as .info and .biz turned out to be. If you're a real company, don't even think about using .pro because the real "pros" have beat you to it.

G Suite admins need to RTFM – thousands expose internal emails


Is there a glossary? If so, how does it have "Public" defined?

Public: "The seven BILLION people on Planet Earth! No username or password required for anyone."

Citrix snuffs Xen and NetScaler brands


And they are now changing their corporate name!

To citrix.com in all lower case, of course.

Noise from blast of gas destroys Digiplex data depot disk drives


How do they know it was the sound and not the smell?

Perhaps it a former co-worker now works there. He could stop anything in its tracks with his gas discharge.

AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet



I had a serious fight to get HSTS and DNSSSEC implemented because Marketing was whining too loudly about the "What if..." nonsense. I won but I got scarred. Now we don't even bother to let them know unless they ask and being Marketing types they are totally inept technically so they never ask.


Re: A lot of sites still sport self-signed certificates

All a CAA record does is prevent non-listed Certificate Authorities from issuing a certificate for that domain. And as long as ID-10-T's want to save a few dollars and use Let's Encrypt, a CAA record authorizing Lets Encrypt effectively authorizes the world.

Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup!


So 1.1 cents per record

And they say that breaches are expensive.

IETF: GDPR compliance means caring about what's in your logfiles


So in the State of Nevada where the government wrote PCI into law, meaning you are obligated to comply with all provisions of the PCI DSS, it's OK to keep all of that data. Presuming you are subject to GDPR, of course.

Perhaps this could inspire multinationals to incorporate in Nevada instead of Delaware and move all of the headquarters to Las Vegas. Their travel expenses to junkets also would be reduced. Win-win!


"You can't possibly detect and investigate suspected breaches in three days."

Correct! That's the point. If you can't detect a breach it never happened and you do not have to disclose it. The GDPR lawyers actually were brilliant.

Gmail is secure. Netflix is secure. Together they're a phishing threat


Why should punctuation in a name indicate a different person any more than it does in real life?

"John Doe Jr" is the same as "John Doe Jr." in real life. "John J Doe is the same on any legal document as "John J. Doe".

Treating punctuation differently in email addresses is no different than typo-squatting a domain name except it's less obvious.

Gmail has been this way for years and other sites should follow their example on all new email addresses. We know what evil lurks on the Internet so let's close off the easy methods rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.

Microsoft Office 365 and Azure Active Directory go TITSUP*


There is no "cloud". It's just someone else's computer, as Orifice 365 definitely is.

My PC makes ‘negative energy waves’, said user, then demanded fix


"Roger"? The name should have been "Moriarity"

https://www.youtube.com/watch?v=ncbEucjsNFU - I'm going to have to watch Kelly's Heroes again tonight.

Well that went well: Polycom sold for the same figure it fetched two years ago


Re: Better than most

Verisign meet Symantec.

Symantec, meet Google.

DigiCert, meet Symantec.

User fired IT support company for a 'typo' that was actually a real word


Re: Contrary to popular belief, the customer is not always right.

"If a third party can fuck up enough business relationships to close down a company, that company is doing something fundamentally wrong."

Never heard of "the cloud", eh?

When you decide to outsource critical business functions to save money (which is never as much as promised) you have outsourced the future of your business.


Re: One of my spall chuckers ...

Spull Chucker on my Android actually got it correct once. I was writing "St. Patty's Day" and it changed it to "St. Party's Day"

Microsoft's Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE


Re: Foot meet hand grenades

Except the March security patch broke wireless networking on my older Windows 10 laptop with an Atheros card. No event logs, no service problems; it just would';t see any Wi-Fi points at all until I uninstalled it.

It's probably because of that "Designed for Windows Vista" RFID sticker on it, eh?

Fatal driverless crash: Radar-maker says Uber disabled safety systems


Re: Cause of Death: Ostrich Algorithm

a.k.a. "You can't patch stupid."


Re: Cause of Death: Ostrich Algorithm


World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved


Bulletproof in my world includes physically separate switches, physically separate wiring and physically separate hosts. The term is "poka-yoke" which translates to mistake-proofing. Many, many incidents occur because of a misconfiguration caused by a human; Them doing something "just to see if it fixes the problem", doing something from memory, etc.

By physically separating the environment you remove much of the possible misconfiguration possibilities and the possibility of pivoting from an infected host to an isolated one. No more ACL problems, no more misconfigured VLANs, etc. They can still misconfigure them but the chances of that error causing a breach are dramatically reduced.

That being said you also need to remove the human element as much as possible. On one PCI penetration test I'm familiar with the company's internal network was 100% compromised in short order but they were absolutely unable to penetrate the PCI network. Right up until one tester said "I wonder what the chances are that some administrator used the same usename and password in both the production and PCI environments for convenience?" Yes, Game Over.

PCI now mandates that true two-factor authentication be used for access to the PCI cardholder data environment. They finally caught up to where we've been for years.

"Bulletproof" does not mean "following what the minimum controls are". It means performing threat modeling and admitting that one of the threats are your own people whether intentional or not. Believe it or not, some managers and HR people have a real problem with that type of thinking. :-)


Re: Nice!

You have no idea how much I wish you were one of our vendors.


Re: Great article! Security = effort, simple..

P.Lee, your definition of "shoestring budget" and management's definition might be a wee different. :-)

There is a massive cost and complexity to subsidising anything owned and operated by someone else. The subsidy is a direct cost and the support is an indirect cost but they're both costs.

"You don't mix secure client systems with insecure client systems. No general internet access from a company system."

That's a great start but be prepared to hear the whining from the admins about how hard you've made their jobs.


Re: Round we go again

Given that those are fairly intelligent people and undoubtedly have learned the lessons of OpenSSL and other bad implementations, I'm certain that as much as of that was as could be done during the threat modeling portion of the TLS 1.3 development was done. That's the value and danger of an open source protocol.; people can rip into it before it comes out.


Re: Geography lesson

And Ontario. They're kind of cousins.


Biting the hand that feeds IT © 1998–2019