Which is why a small amount of basic training is often a good idea!
"Please do this, for these reasons" is all it takes to avert problems, but it's so frequently left out. You know what they say about assumption...
54 publicly visible posts • joined 15 Feb 2013
My question to people when it comes to updates is:
Your stuff might break. You have two options: risk breaking it yourself in a known way at a known time, or have somebody else break it for you in unknown ways at an unknown time maybe stealing private info in the process.
Sensible people choose to risk breaking their own stuff :-)
On a brand new device running Android 9 I can only use 3rd party stores because Google prevents the manufacturer from installing Google Mobile Services, which stops Play Store plus sign-in to most of their apps (Chrome, YouTube, etc.).
The device is a projector (Phillips Picopix Max).
Must be a pretty compelling reason for Google to block that, because think of all the app and media sales (plus harvested data) revenue they're missing out on. From a consumer point of view it's annoying and makes no sense.
From a security point of view it's annoying and makes no sense.
Presumably it also does it for free?
Fully customisable commercial web filters such as Forcepoint cost considerably more than most families would be willing to pay.
Frankly, sadly, changing a home router's DHCP server to hand out a different DNS server address is going to be well beyond what most parents are capable of. That's if the router even allows that kind of config change. And mobile devices operating on a cellular data connection, or devices that might operate from WiFi outside the home are another problem.
I suspect a significant chunk of parents have no idea how to go about restricting what their kids can access. Especially given the amount of material that they might want to block that sits on multi-interest platforms like Twitter - which apparently has a ton of porn on it, but also loads of musicians, actors etc. that kids would want to get content from.
The vulnerabilities were found in Azure Stack, which is an on-premise environment that gives you some of the functionality and look and feel of the full-blown Azure cloud. As the Checkpoint article states, and as I know from experience, Azure Stack is somewhat behind Azure in terms of features and versions. For example, you can do nested VMs in Azure, but not on Azure Stack. (One example of many!)
Reg should really correct their headline, because unless the same vulnerabilities existed in full Azure, it is currently wrong.
We were taking about businesses and organisations, but:
Your home PC can be turned into a dangerous cyber weapon if it's connected to the internet but your IT security management is rubbish. (Most people's is shockingly bad, I suspect you don't do half the stuff NCSC recommends for good business IT security on your home tech).
Ok, one infected device isn't too bad, but a botnet is made up of lots of infected devices and can do a huge amount of damage.
This is what happens now. You'll have read about it.
How do you propose to fix it if not by some kind of health check (with penalties applied)?
The MOT keeps dangerous vehicles off the road, and this prevents accidents. The government does not do the MOT themselves so I'm not sure why you think they'd want the hassle of checking this either?
Perhaps ISPs should be required to detect malicious traffic and block connections where they detect it?
Perhaps if you run their host health checker agent you get a discount (for being less likely to eat up their bandwidth with malicious traffic, with the nice side effect that your devices are not going to be attacking other people's stuff).
NCSC have already suggested blocking certain ports by default. Taking this further, most people don't need their internet connection to allow externally initiated inbound connections at all. Most people don't need much more than a fairly small set of outbound ports. Yet most ISP connections allow any-any. Is that sensible? The evidence overwhelmingly says no.
Sadly this type of thing is exactly what significant numbers of organisations and companies of all sizes are also doing:
No priority given to IT security, and just try to keep quiet and keep going when something bad happens - fingers crossed it doesn't end too badly.
Legislation tends to be my suggestion to fix this (rather like an MOT on a car, you're not allowed to operate computer systems if they're not regularly checked for safety), but I have no idea how that would work with an organisation like the UN!
It's called Cyber Essentials (Plus, the basic is largely meaningless as it's self assessment).
There's an additional one called ISO27001.
The problem is that nobody is bothering to look at them.
No CE+? Triple the price for business insurance. Triple the taxes. Blocked from operating in certain industries.
Have CE+ and ISO27001? Maybe you get a discount.
This is indeed all about money, government and regulators should therefore use that to their advantage. Short term they get more income, long term they get more secure businesses in their country/jurisdiction.
The public could also be told to use CE+ as a differentiator, but so few companies currently have it there's often nobody to choose from at all!
BitLocker Drive Encryption always uses software-based encryption on the OS drive if you turn it on after installing Windows.
Microsoft recommend you only use software encryption.
For additional drives that you format and encrypt later you can change defaults and other settings via group policy.
Also see KB4516071.
In the same way that it's illegal to drive a car without a valid driving licence, it should be illegal to operate an internet-connected computer with (at a minimum) being Cyber Essentials Plus certified.
Business insurance should be impossible to acquire without CE+ too, unless you certify that you do not have any internet-connected IT systems.
That to me send to be the only way to force people to do this stuff.
Going back to the car analogy, who would bother with the expense of driving lessons and passing the test if it wasn't a legal requirement? Who would bother getting their car MOT done every year if it didn't have legal implications?
The softly softly approach has been proven to fail. Standards must be adhered to in other fields of engineering (electrical, civil, construction, etc.) and it's high time that IT caught up.
This is why security needs to be made a legal requirement. Or at least something which is routinely required to be tested for.
If that software product was instead a car, and it drove fine , and they'd just implemented some kind of fancy ai feature, but the car got zero in the euro ncap, or couldn't pass an MOT, few people would buy it.
Things like cyber essentials being required are a step in the right direction.
...Unless you force users to change them every now and then. And most places don't monitor for unusual access, so that compromise will continue for as long as the attacker likes.
Make people change them every now and then, 3-6 months sounds fair.
Unless you've implemented MFA. Then ignore the above, assuming it's a requirement on every system.
Presumably you're an admin though?
There's zero need for a standard user to be able to execute PowerShell. Decent Windows security people have been advocating disabling PS for users for quite a while. Likewise for VBA, and in fact all kinds of other stuff that comes with the operating system. This used to be called hardening, but is now just good security practice.
As the person who's forum post is quoted in this latest Reg article, I think I might be suffering from a different, possibly older problem.
Several of the obfuscated .sh files I found were dated back in August. When the NAS was available on the internet. It stopped being directly visible around October, instead only allowing access via myqnapcloud.
Another interesting thing is that I wasnt running the latest firmware, but I'm pretty sure I would have checked it over the last few months via the admin web console. Along with this, the auto update check told me there was no new firmware available, when actually there was. I manually downloaded and updated the firmware the other day. Didn't fix the "wrong architecture" errors though.
Somebody from qnap support has apparently "delete[d] malware in the NAS QTS system" so I'll see later tonight if it's any healthier.
It is a few years old now but is apparently supported until some time in 2020. I just don't know if I trust it anymore. The whole point of having it was to get access to my stuff from anywhere with the minimum of hassle.
I wonder if there'll be any firmware updates released, and if these will be able to fix the issue without effectively junking all the data on the drive.
I also wonder what the performance hit is of software vs on-disk-hardware encryption. Newer CPUs have AES instructions built in so unless your processor is already running at 100% it presumably won't be too bad?
BitLocker documentation is here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdeosd
I imagine you'd have to decrypt then re-encrypt the drive after changing this setting, which would be somewhat time consuming.
It'll be interesting to see if/what guidance Microsoft produce on this topic.
BIOS and other firmware updates are actually released fairly frequently, by decent manufacturers. Particularly BIOS since the spectre/meltdown thing kicked off.
My aging Dell laptop is up to BIOS version A21, which averages to a release every 4 months. The latest version was released in March, which is pretty impressive for a seven year old machine with no hardware support contract.
People actually bothering to install these updates happens much less frequently. Which is a shame because they often fix quite serious stability and data corruption issues, not to mention security.
I worked in an increasingly toxic IT department for a long time, hoping it would get better. When it got worse, and after a few months off work with stress (which did help) I started looking for a new job. After about a year of looking - I didn't want to jump out of one terrible organisation and into another - I found the right job, still doing IT, but for a smaller and much nicer place, with an easier commute, better pay, and far more career prospects.
If you're not enjoying it, leave! I should have left my old job ten years before I actually did. Don't try and change a toxic organisation, and definitely don't stay there and work yourself into an early grave supporting managers who don't deserve it.
There's loads of IT and security jobs out there, just find the one that's right for you. Recruitment agencies can actually help with this. (If nothing else, getting the occasional phone call from them when they find your CV helps boost your self-belief and self-worth).
Put your CV on a few of the big recruitment sites, and see what happens!
1. Just because something is listening on localhost doesn't also mean it's listening on the machine's network IP address.
2. Most ISPs supply routers that have NAT firewalls enabled by default, so a machine listening on a private address behind one of those is unlikely to be accessible from the public IP address of the router.
3. If you're not banner grabbing how do you know what's actually listening?
4. I'm pretty sure ISPs do or used to do port scans of customer's public IP addresses, Virgin/Telewest definitely used to do that to me years ago. Does that still happen?
Only if it is run with an account that has sufficient privileges.
Who lets end users have admin rights these days? (Actually, plenty, sadly...)
Or doesn't remind users not to store their data on a network/cloud file server (where they definitely shouldn't have admin rights)?
Standard users can't remove VSS snapshots.
Rather like UEM then?
Been hoping that'll start working properly for two years now but new bugs keep on appearing. Current one is not being able to activate Android 7.1 devices. Oh, and another one is not being able to get app updates on some phones.
Plus it's Windows server software but for some reason they wrote it in Java, so it needs crazy amounts of RAM and is extra slow.
The features sound great on paper, and if they worked (as described, all of the time) it would be fine.
Very seriously considering ditching it.
Windows has AppLocker (or Software Restriction Policies) but in my experience, few places bother turning it on.
Application whitelisting is just sensible, isn't it? Who wants any random code that they've not approved to run on their system?
I suspect it's not more widely used because of either ignorance (of its existence, or how to configure it properly) or laziness. Or because people think it's not necessary because how could they possibly be let down by all the extra security tech they spent £££££ on? "I don't need to close my doors and windows when I go out because I've got a burglar alarm"
Cloud storage (for users) tends not to use things like mapped drives, plus it tends to have file history features so even if your local files are encrypted and synced to the cloud, you can go back to a previous version.
No doubt somebody is working on a way to get around this though, but it'll be different for each cloud provider, assuming they have an API for accessing the type of features needed. Crypto malware has been trying to destroy local file history for years if it has sufficient privileges (i.e. user is logged on with an administrator account).
Yes it's a car, but how is this different to selling a phone, laptop, tablet, fridge or anything else with tech in it?
If I sell an Android phone, I need to make sure I remove my data and Google account from it before I sell it.
Ditto for any of the other items I mentioned. As a seller, I would want to do this, so I know my data has gone before the device leaves my ownership.
If I'm buying a second hand car I'm definitely going to be asking the retailer if any connected functionality has been correctly the reset and is ready for my use - before I buy the car.
Seems like the guy in the article failed to do that, and then got in a strop and blamed the vehicle manufacturer for his own lack of foresight.
If I bought a used iPhone and the previous owner hadn't wiped it properly, and I didn't check that before I bought it, how would that be Apple's problem?
Presumably the same thing could occur with the various package managers like apt or rpm? They seem to pull down a load of dependencies on the fly, so all somebody has to do is compromise some frequently used library package or whatever, and bingo.
Seems like there are many opportunities for supply chain type problems to occur.
You're clearly not going to like this, what with that hornet's nest in your collective bonnet, but that didn't sound unreasonable to me. Most places would have you use a 2fa code at every authentication. Once per 24hrs on non-school-owned devices seems fair enough. I'm kind of amazed that educational establishments still allow byod, what with the extra-sensitive nature of most of their PII.
Places of education tend to have terrible IT security, and this is exactly the type of reaction when anyone tightens it.
The other argument that gets used a lot to block security tech is "academic freedom".
Sadly, the rest of the world is slowly doing this shit, and you're no different. Even if you think you are. Sorry!
It'd be very easy to write a few lines of script that gets all the usernames from AD (readable by all users, and potentially even anonymously of you've not secured it) and then bang a password of "a" at each one until it locks, move on to the next and repeat.
Instant chaos. I'm amazed more people don't have this kind of problem with malware or when they get infected with remote access tools. Perhaps it's just one of those mass disasters waiting to happen...
The last thing I want is to have to cart around, keep charged, and generally take care of a second electronic device. Been there, done that, far too much hassle.
I'd be more than happy to use an app on my own phone as long as it doesn't drain the battery significantly, doesn't intrude when I'm not at work, and doesn't use noticeable amounts of data.
E.g. Google Authenticator. Or a text message. Or the Microsoft Authenticator app. I might be tempted by a Yubikey, but I can see that across a large organisation the rate of loss would be significant.
The beauty of allowing staff to use their own phones for MFA/OTP is that they tend to always have them with them, they're always charged, they know how to unlock them, and they tend to take a lot more care of them than a company device.
I'm speaking as somebody who tried a corporate phone and found it a massive pain, and as one of the people whove been managing the devices.
What is a shame is that Active Directory and Windows doesn't have some kind of MFA/OTP built in from years ago. I've yet to find a solution that I like the look of that works when the endpoint is offline and that is affordable.
Way back in the mid 90s I had skeys (one time passwords) for remote access to Solaris systems.
I doubt Microsoft will be changing their current plan of attack though, i.e. Windows Hello. Although they've got umpteen options for various other things these days, so maybe a simple pluggable authentication module to support a 6 digit code type of OTP will appear. Surely it can't be that difficult?
If the credential databases from multiple sites are stolen, they'll either include the email address in addition to the username, or people will use the same username on multiple sites.
It'll make some impact, but I don't think it's the kind of panacea that people make it out to be.
Plus, people forget them, leading to knock on issues with the site holder then having to have a "remind me what my sign in details are" feature, with all the score for abuse that brings with it.
Two factor, done right, all the way for me.
Exactly. And the certs are there too.
Tigerscheme's Qualified Security Team Member/Leader, Check Team Member/Leader, etc. Plus there are plenty of industry vendor certs from generic ones like CompTIA Security+ to more vendor specific stuff from e.g. Microsoft.
As has also already been mentioned, the problem is companies not actually coughing up to train people, then not employing enough of them, and not listening to them when they have employed them.
Schemes like Cyber Essentials Plus are helping make some companies comply with a basic security baseline, but it's not enforced across all companies yet, and it's scary how many applicants fail various bits of the testing. And those are the ones who are at least trying to be secure!
If TSB hadn't been forcibly split off from Lloyds then this wouldn't be an issue.
Any large scale data migration is going to have problems. These problems are exacerbated due to money being involved. Hands up if you've done a data migration of this scale and had zero issues?
I feel rather sorry for TSB in some respects. Forced into existence, they hire a supposedly expert firm to manage their systems and data migration only to have it blow up in their face. So they're paying through the nose for IBM, and now they're having to deal with frauds, fines and legal nonsense too. And try and provide some kind of valuable service to customers.
You don't get multi-factor authentication on old protocols like IMAP. Which to their credit, Yahoo have been strongly encouraging their users to turn off if they don't need it. Given that 99.99% of people just use a browser this is the right approach.
I used to use IMAP years ago (via a telnet client sometimes, ha!) but MFA is too useful a security measure.
I'm pretty sure you can only get ATP if you have a Windows Enterprise E5 license. Which is a shame as that's not available to places with under a certain number of licences, or it's extremely expensive compared to E3.
ATP looks rather good, I have no idea why it's not being made more accessible to smaller businesses.
Veeam support head Gostev posted a month ago about a company that was hit with Cryptomix Arena, which encrypted all their file servers and VMs, called home, and then human beings manually deleted all their Veeam backups via Veeam itself including both local NAS copies and those in the cloud, then deleted the Veeam VM. The customer managed to recover some data thanks to storage snapshots, but I think I'd prefer some offline backups for peace of mind!
Your ask yourself if you want to continue working there.
And/or talk to their boss and explain the situation, and then re-ask yourself if you want to continue working there.
You'll find your motivation for your job probably either decreased significantly, or, ideally, increased significantly.
So what else is out there? Aside from OpenVAS, which I've heard of but not used.
Somebody commented by saying that there are loads of alternatives, but conveniently mentioned precisely none of them.
Don't care if it's paid or free, but it needs to be good and to "just work".
Are advertising their Android phones in part by stating their "pure Android" nature and that they'll get regular security updates. Specs aren't bad either, my partner bought a Nokia 8 yesterday and it's rather nice - considering getting one myself.
My HTC One M9 is still on 7.0 April 2017 security update.
It'll be interesting to see how many other manufacturers start to jump on the "pure & secure" (tm) bandwagon.