Posts by RobinCM

Multiple clicks to get to network card properties

I just type ncpa.cpl

Re: Grump grump grump grump

My question to people when it comes to updates is:

Your stuff might break. You have two options: risk breaking it yourself in a known way at a known time, or have somebody else break it for you in unknown ways at an unknown time maybe stealing private info in the process.

Sensible people choose to risk breaking their own stuff :-)

Re: Google Play Store not available

That's not what Phillips are saying.

https://community.screeneo.com/t/what-was-the-reason-given-for-not-using-google-services/2647/3

Presumably it also does it for free?

Fully customisable commercial web filters such as Forcepoint cost considerably more than most families would be willing to pay.

Frankly, sadly, changing a home router's DHCP server to hand out a different DNS server address is going to be well beyond what most parents are capable of. That's if the router even allows that kind of config change. And mobile devices operating on a cellular data connection, or devices that might operate from WiFi outside the home are another problem.

I suspect a significant chunk of parents have no idea how to go about restricting what their kids can access. Especially given the amount of material that they might want to block that sits on multi-interest platforms like Twitter - which apparently has a ton of porn on it, but also loads of musicians, actors etc. that kids would want to get content from.

We were taking about businesses and organisations, but:

Your home PC can be turned into a dangerous cyber weapon if it's connected to the internet but your IT security management is rubbish. (Most people's is shockingly bad, I suspect you don't do half the stuff NCSC recommends for good business IT security on your home tech).

Ok, one infected device isn't too bad, but a botnet is made up of lots of infected devices and can do a huge amount of damage.

This is what happens now. You'll have read about it.

How do you propose to fix it if not by some kind of health check (with penalties applied)?

The MOT keeps dangerous vehicles off the road, and this prevents accidents. The government does not do the MOT themselves so I'm not sure why you think they'd want the hassle of checking this either?

Perhaps ISPs should be required to detect malicious traffic and block connections where they detect it?

Perhaps if you run their host health checker agent you get a discount (for being less likely to eat up their bandwidth with malicious traffic, with the nice side effect that your devices are not going to be attacking other people's stuff).

NCSC have already suggested blocking certain ports by default. Taking this further, most people don't need their internet connection to allow externally initiated inbound connections at all. Most people don't need much more than a fairly small set of outbound ports. Yet most ISP connections allow any-any. Is that sensible? The evidence overwhelmingly says no.

Re: All the more reason...

BitLocker Drive Encryption always uses software-based encryption on the OS drive if you turn it on after installing Windows.

Microsoft recommend you only use software encryption.

For additional drives that you format and encrypt later you can change defaults and other settings via group policy.

Also see KB4516071.

Re: Lack of strong commercial rationale for investment

In the same way that it's illegal to drive a car without a valid driving licence, it should be illegal to operate an internet-connected computer with (at a minimum) being Cyber Essentials Plus certified.

Business insurance should be impossible to acquire without CE+ too, unless you certify that you do not have any internet-connected IT systems.

That to me send to be the only way to force people to do this stuff.

Going back to the car analogy, who would bother with the expense of driving lessons and passing the test if it wasn't a legal requirement? Who would bother getting their car MOT done every year if it didn't have legal implications?

The softly softly approach has been proven to fail. Standards must be adhered to in other fields of engineering (electrical, civil, construction, etc.) and it's high time that IT caught up.

This is why security needs to be made a legal requirement. Or at least something which is routinely required to be tested for.

If that software product was instead a car, and it drove fine , and they'd just implemented some kind of fancy ai feature, but the car got zero in the euro ncap, or couldn't pass an MOT, few people would buy it.

Things like cyber essentials being required are a step in the right direction.

Re: Lower than a Standard user

Windows 10 S Mode.

But now try and convince every major software vendor to rewrite their business applications as Windows store apps.

Re: Ironic that...

Presumably you're an admin though?

There's zero need for a standard user to be able to execute PowerShell. Decent Windows security people have been advocating disabling PS for users for quite a while. Likewise for VBA, and in fact all kinds of other stuff that comes with the operating system. This used to be called hardening, but is now just good security practice.

BIOS and other firmware updates are actually released fairly frequently, by decent manufacturers. Particularly BIOS since the spectre/meltdown thing kicked off.

My aging Dell laptop is up to BIOS version A21, which averages to a release every 4 months. The latest version was released in March, which is pretty impressive for a seven year old machine with no hardware support contract.

People actually bothering to install these updates happens much less frequently. Which is a shame because they often fix quite serious stability and data corruption issues, not to mention security.

At the university I used to work for, the spam filtering used to outright delete around 80% of the messages arriving for the domain and only very rarely did we get somebody complain that an email they were expecting hadn't arrived. That was about four years ago.

Re: IT is not a healthy profession

I worked in an increasingly toxic IT department for a long time, hoping it would get better. When it got worse, and after a few months off work with stress (which did help) I started looking for a new job. After about a year of looking - I didn't want to jump out of one terrible organisation and into another - I found the right job, still doing IT, but for a smaller and much nicer place, with an easier commute, better pay, and far more career prospects.

If you're not enjoying it, leave! I should have left my old job ten years before I actually did. Don't try and change a toxic organisation, and definitely don't stay there and work yourself into an early grave supporting managers who don't deserve it.

There's loads of IT and security jobs out there, just find the one that's right for you. Recruitment agencies can actually help with this. (If nothing else, getting the occasional phone call from them when they find your CV helps boost your self-belief and self-worth).

Put your CV on a few of the big recruitment sites, and see what happens!

Only if it is run with an account that has sufficient privileges.

Who lets end users have admin rights these days? (Actually, plenty, sadly...)

Or doesn't remind users not to store their data on a network/cloud file server (where they definitely shouldn't have admin rights)?

Standard users can't remove VSS snapshots.

Windows has AppLocker (or Software Restriction Policies) but in my experience, few places bother turning it on.

Application whitelisting is just sensible, isn't it? Who wants any random code that they've not approved to run on their system?

I suspect it's not more widely used because of either ignorance (of its existence, or how to configure it properly) or laziness. Or because people think it's not necessary because how could they possibly be let down by all the extra security tech they spent £££££ on? "I don't need to close my doors and windows when I go out because I've got a burglar alarm"

Re: "The whole exercise is a fine example of a supply chain attack"

Presumably the same thing could occur with the various package managers like apt or rpm? They seem to pull down a load of dependencies on the fly, so all somebody has to do is compromise some frequently used library package or whatever, and bingo.

We've also talked about dynamically linked JavaScript on websites, where the code is hosted elsewhere.

Seems like there are many opportunities for supply chain type problems to occur.

Re: SMB

You can help this situation by configuring a firewall on your file server to only allow connections from places you'd expect one to be inbound from.

You could also/alternatively use IPSec to limit what is able to connect to that sever.

Re: Another reason this is such a successful exploit

If the credential databases from multiple sites are stolen, they'll either include the email address in addition to the username, or people will use the same username on multiple sites.

It'll make some impact, but I don't think it's the kind of panacea that people make it out to be.

Plus, people forget them, leading to knock on issues with the site holder then having to have a "remind me what my sign in details are" feature, with all the score for abuse that brings with it.

Two factor, done right, all the way for me.

Re: Why?

Exactly. And the certs are there too.

Tigerscheme's Qualified Security Team Member/Leader, Check Team Member/Leader, etc. Plus there are plenty of industry vendor certs from generic ones like CompTIA Security+ to more vendor specific stuff from e.g. Microsoft.

As has also already been mentioned, the problem is companies not actually coughing up to train people, then not employing enough of them, and not listening to them when they have employed them.

Schemes like Cyber Essentials Plus are helping make some companies comply with a basic security baseline, but it's not enforced across all companies yet, and it's scary how many applicants fail various bits of the testing. And those are the ones who are at least trying to be secure!

Re: Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself.

You don't get multi-factor authentication on old protocols like IMAP. Which to their credit, Yahoo have been strongly encouraging their users to turn off if they don't need it. Given that 99.99% of people just use a browser this is the right approach.

I used to use IMAP years ago (via a telnet client sometimes, ha!) but MFA is too useful a security measure.

Re: Dont' name and shame persistent offenders

Your ask yourself if you want to continue working there.

And/or talk to their boss and explain the situation, and then re-ask yourself if you want to continue working there.

You'll find your motivation for your job probably either decreased significantly, or, ideally, increased significantly.

Re: Someone has shot themselves in the foot

So what else is out there? Aside from OpenVAS, which I've heard of but not used.

Somebody commented by saying that there are loads of alternatives, but conveniently mentioned precisely none of them.

Don't care if it's paid or free, but it needs to be good and to "just work".

Thank you!