Posts by Blacklight

Layers

It's all about the layers. APIs & inter-app comms are probably an afterthought for most.

The 'tightest' place I've encountered had:

a) Windows desktop & server firewall controlled by AD policy

b) Cisco ISE operating on all switch ports (assigning VLANs etc) with MAC and 802.1x back to AD

c) Switch port policies applied to ports based on the VLAN or ISE assignment

d) Site level firewalls (Palo Alto) governing intersite and internet access

e) SD-WAN (Silverpeak)

f) Regional firewalls for internet (and any failover between intersite if SDWAN routing went awry)

g) VPN with device and user authentication, and policies applied dynamically based on both

h) WAFs and NSGs running on the Azure side of things (if you made it that far)

i) AD ACL and SEC groups, applied thoroughly on actual servers, shares & resource groups

But, as outlined in the article, if (or once) you were 'in', you were generally able to 'get around' - but that was also partly due to a hangover from a prior set of circumstances where they were no proper firewall policies previously, and there was still reasonable paranoia as to restricting things further.

Electrickery...

My secondary school had a lovely BBC Econet setup, with a variety of BBC-B and Master machines (ah, CUB monitors), across the whole school site (some fun cabling runs, mostly external). One night, there was a storm, and some well aimed lightning hit the Econet cable.

I remember the IT teacher spending the next few days soldering many, many poorly BBC computers.....

It's not all bad.

Hue and Lightwave kit work without cloud,locally or with VPN.

But I have many baskets, and all of them work standalone :)

Pencils

Our old 8088 and then 8086 used to have a batch file we ran to "park" the heads on the disks prior to shutdown. But we started with a 20MB "hardcard" (and a Hercules b&w graphics card, along with DOS 2.11...)

But later we had a dead hard drive, that we could restart with a pencil in the drive spindle, releasing it. We did back it up then

Godspeed V'ger

It might come back, you never know ;)

Received this morning:

"Dear Valued Customer,

On May 6, 2019, our technical services team rolled out a number of changes to the CrashPlan for Small Business data protection service. These changes were intended to make restoring files and machines more efficient by eliminating unnecessary files from your backup sets. Unfortunately, we made two mistakes during this change process.

The first mistake relates to our email notifications sent to you regarding the changes to CrashPlan. Our initial email sent in early April was classified incorrectly as a marketing communication and did not reach customers who opted out of marketing communications. We resent the notification to all customers on May 17, but this did not give enough advance notice to some of our customers. We apologize for this mistake and we can assure you that we have since changed our processes to ensure better communications in the future.

The second mistake involves the actual file changes that we made. As part of this update, we stopped archiving 32 file types and directories. The email notification included a link to an updated list of files that are excluded from CrashPlan backups. One of the file types we began excluding from backups is the .sparseimage file format. We believed that this file format was obsolete because in 2007 Apple introduced a new format called .sparsebundle, which we thought replaced .sparseimage for the use case we track. After we implemented the changes in May, some of our customers made it clear they still have valid use cases for .sparseimage. We now believe we made an error in excluding .sparseimage, and we have since added it back to the list of files we support via backup.

If you use .sparseimage files, there is no action you need to take. The change will automatically be pushed to your client and .sparseimage files will once again be backed up in CrashPlan. This process will take several days as these devices connect to our service. You can see a full list of excluded files here.

We regret the inconveniences that these two mistakes may have caused you. Our priority is to provide a great product that protects your important small business data. We appreciate your feedback and ongoing partnership. Should you have any questions or need assistance, please contact our Support Team.

Thank you for your support and trusting us with your most important information.

Sincerely,

Joe Payne

President and CEO

Code42"

I've had this, for a similar named person to me, and their flights.

And someone else crime report, with number (direct from the police)

And something from HM Government.

And home building plans, and insurance.

Normally I do get a "sorry" in most cases, but STA (re: the flights) took a LONG time to sort it, and I did consider cancelling the flight....

Alternatives...

Anyone who has enough nouse to play with APIs, can do the following...

Get a Raspberry Pi, an enclosure, and install OpenRemote on it.

Yes, there is a cloud UI to set things up, but once you've got the config on the Pi, you can cut it off from t'interweb and it will still control anything in your house/network that you can make it talk to (from HTTP/JSON to raw TCP/UDP).

Mine runs on a NAS rather than a Pi, but talks to Philips Hue (which runs when no cloud is available), Lightwave (same), and direct to other devices on the LAN. It is a bit of effort to get going, but it's so worth it when you hear of crap like this!

I recently played with amending AMI type BIOS, as I wanted a new Intel BIOS for RST, and it worked. Hopefully if they drop the microcode in useful formats, people can try rolling their own (if they are suitably equipped).

At least my Gigabyte motherboard has Dual-BIOS, so I can't *totally* kill it...

Hmm.

Since putting the latest MS patches on my (Sandy Bridge based) PC, I've had two unexplained crashes - which is annoying when working remotely as while the Intel RST on my machine recovers correctly, it doesn't then reboot, so just sits waiting for someone to reset it. Maybe time invest a remote power switch....

Also quite annoying as my Sandy Bridge (i7 2700K) DOES support PCID, but not, apparently INVPCID...

So, on a Sandy Bridge i7 2700K (released Oct 2011 I believe) running Win 10 Pro, the results of "Get-SpeculationControlSettings" are:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimization is enabled: False [not required for security]

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

BTIHardwarePresent : False

BTIWindowsSupportPresent : True

BTIWindowsSupportEnabled : False

BTIDisabledBySystemPolicy : False

BTIDisabledByNoHardwareSupport : True

KVAShadowRequired : True

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : True

KVAShadowPcidEnabled : False

Already said above, but the Pixel-C is a lovely bit of kit (although I can recommend NOT dropping it, as whilst the screen survived, trying to 'undent' the metal case is challenging!)

I've got a Nexus 7 (2013), which won't go beyond Android 6, and is a bit slow, but it's used for some games, and principally a baby monitor (IP Cam viewer) at night.

The Pixel-C is just a joy to use when you CBA with a phone. A bit heavy, but sometimes heft is good.

I was considering a Pixel Phone to replace the 5X, but £599 or £820? They're having a giraffe.

Nexus 5X here with Android 7.0 on.

Location for the Store is "off" and I didn't' turn it off, it's just "off". I didn't see any request to enable it either....

The only thing I did note was that I had Developer mode "uncovered" before the 6.0-7.0 upgrade, but it was disabled. Post upgrade, it was ENABLED and "Automatic system updates" were enabled...

A link to other materials here would be useful :)

The 5X has an encrypted file system, however other sources on this vuln show the password is left sitting "unguarded" in the extracted image, so someone with the image could unlock the device, or clone it.

Hopefully Google have either salted this passphrase now, rather than just stopping the panic enabling extraction.....

One of the offices I work at has three lifts. Above each one, on each floor, is a 4"x2" ish panel, showing the floor the lift is on, and a directional arrow.

Except one day the left most one was showing a teeny tiny Windows 2000 screen.....(not a BSOD, just the desktop...)