* Posts by RobinCM

54 publicly visible posts • joined 15 Feb 2013


To have one floppy failure is unlucky. To have 20 implies evil magic or a very silly user



Which is why a small amount of basic training is often a good idea!

"Please do this, for these reasons" is all it takes to avert problems, but it's so frequently left out. You know what they say about assumption...

Microsoft previews Windows Server 2022: Someone took a spanner to core plumbing features


Multiple clicks to get to network card properties

I just type ncpa.cpl

Linux Mint users in hot water for being slow with security updates, running old versions


Re: Grump grump grump grump

My question to people when it comes to updates is:

Your stuff might break. You have two options: risk breaking it yourself in a known way at a known time, or have somebody else break it for you in unknown ways at an unknown time maybe stealing private info in the process.

Sensible people choose to risk breaking their own stuff :-)

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems


Once they've gained administrative access

So it's game over at that point then.

Please, just stop downloading apps from unofficial stores: Android users hit with 'unkillable malware'


Re: Google Play Store not available

That's not what Phillips are saying.



Google Play Store not available

On a brand new device running Android 9 I can only use 3rd party stores because Google prevents the manufacturer from installing Google Mobile Services, which stops Play Store plus sign-in to most of their apps (Chrome, YouTube, etc.).

The device is a projector (Phillips Picopix Max).

Must be a pretty compelling reason for Google to block that, because think of all the app and media sales (plus harvested data) revenue they're missing out on. From a consumer point of view it's annoying and makes no sense.

From a security point of view it's annoying and makes no sense.

Cloudflare family-friendly DNS service flubs first filtering foray: Vital LGBTQ, sex-ed sites blocked 'by mistake'


Presumably it also does it for free?

Fully customisable commercial web filters such as Forcepoint cost considerably more than most families would be willing to pay.

Frankly, sadly, changing a home router's DHCP server to hand out a different DNS server address is going to be well beyond what most parents are capable of. That's if the router even allows that kind of config change. And mobile devices operating on a cellular data connection, or devices that might operate from WiFi outside the home are another problem.

I suspect a significant chunk of parents have no idea how to go about restricting what their kids can access. Especially given the amount of material that they might want to block that sits on multi-interest platforms like Twitter - which apparently has a ton of porn on it, but also loads of musicians, actors etc. that kids would want to get content from.

Flaws punched holes in Azure cloud, Apple patches pretty much everything, Eurocops cuff Maltese hackers, etc


Not "Microsoft Azure"

The vulnerabilities were found in Azure Stack, which is an on-premise environment that gives you some of the functionality and look and feel of the full-blown Azure cloud. As the Checkpoint article states, and as I know from experience, Azure Stack is somewhat behind Azure in terms of features and versions. For example, you can do nested VMs in Azure, but not on Azure Stack. (One example of many!)

Reg should really correct their headline, because unless the same vulnerabilities existed in full Azure, it is currently wrong.

UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it


We were taking about businesses and organisations, but:

Your home PC can be turned into a dangerous cyber weapon if it's connected to the internet but your IT security management is rubbish. (Most people's is shockingly bad, I suspect you don't do half the stuff NCSC recommends for good business IT security on your home tech).

Ok, one infected device isn't too bad, but a botnet is made up of lots of infected devices and can do a huge amount of damage.

This is what happens now. You'll have read about it.

How do you propose to fix it if not by some kind of health check (with penalties applied)?

The MOT keeps dangerous vehicles off the road, and this prevents accidents. The government does not do the MOT themselves so I'm not sure why you think they'd want the hassle of checking this either?

Perhaps ISPs should be required to detect malicious traffic and block connections where they detect it?

Perhaps if you run their host health checker agent you get a discount (for being less likely to eat up their bandwidth with malicious traffic, with the nice side effect that your devices are not going to be attacking other people's stuff).

NCSC have already suggested blocking certain ports by default. Taking this further, most people don't need their internet connection to allow externally initiated inbound connections at all. Most people don't need much more than a fairly small set of outbound ports. Yet most ISP connections allow any-any. Is that sensible? The evidence overwhelmingly says no.


Sadly this type of thing is exactly what significant numbers of organisations and companies of all sizes are also doing:

No priority given to IT security, and just try to keep quiet and keep going when something bad happens - fingers crossed it doesn't end too badly.

Legislation tends to be my suggestion to fix this (rather like an MOT on a car, you're not allowed to operate computer systems if they're not regularly checked for safety), but I have no idea how that would work with an organisation like the UN!

Spanking the pirates of corporate security? Try a Plimsoll


The IT Security Plimsoll Line exists

It's called Cyber Essentials (Plus, the basic is largely meaningless as it's self assessment).

There's an additional one called ISO27001.

The problem is that nobody is bothering to look at them.

No CE+? Triple the price for business insurance. Triple the taxes. Blocked from operating in certain industries.

Have CE+ and ISO27001? Maybe you get a discount.

This is indeed all about money, government and regulators should therefore use that to their advantage. Short term they get more income, long term they get more secure businesses in their country/jurisdiction.

The public could also be told to use CE+ as a differentiator, but so few companies currently have it there's often nobody to choose from at all!

Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption


Re: All the more reason...

BitLocker Drive Encryption always uses software-based encryption on the OS drive if you turn it on after installing Windows.

Microsoft recommend you only use software encryption.

For additional drives that you format and encrypt later you can change defaults and other settings via group policy.

Also see KB4516071.

Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers



Surely it'll be using TLS?

Why do people insist on calling something by a defunct technology acronym that (almost certainly) isn't even in use in that product?

Please tell us why you're not securing yourselves, UK.gov asks businesses


Re: Lack of strong commercial rationale for investment

In the same way that it's illegal to drive a car without a valid driving licence, it should be illegal to operate an internet-connected computer with (at a minimum) being Cyber Essentials Plus certified.

Business insurance should be impossible to acquire without CE+ too, unless you certify that you do not have any internet-connected IT systems.

That to me send to be the only way to force people to do this stuff.

Going back to the car analogy, who would bother with the expense of driving lessons and passing the test if it wasn't a legal requirement? Who would bother getting their car MOT done every year if it didn't have legal implications?

The softly softly approach has been proven to fail. Standards must be adhered to in other fields of engineering (electrical, civil, construction, etc.) and it's high time that IT caught up.

Our hero returns home £500 richer thanks to senior dev's appalling security hygiene


This is why security needs to be made a legal requirement. Or at least something which is routinely required to be tested for.

If that software product was instead a car, and it drove fine , and they'd just implemented some kind of fancy ai feature, but the car got zero in the euro ncap, or couldn't pass an MOT, few people would buy it.

Things like cyber essentials being required are a step in the right direction.

Meet the Great Duke of... DLL: Microsoft shines light on Astaroth, a devilishly sneaky strain of fileless malware


Re: Lower than a Standard user

Windows 10 S Mode.

But now try and convince every major software vendor to rewrite their business applications as Windows store apps.

Microsoft: Yo dawg, we heard you liked Windows password expiry policies. So we expired your expiry policy


Compromised passwords remain valid for ever...

...Unless you force users to change them every now and then. And most places don't monitor for unusual access, so that compromise will continue for as long as the attacker likes.

Make people change them every now and then, 3-6 months sounds fair.

Unless you've implemented MFA. Then ignore the above, assuming it's a requirement on every system.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints


Re: Ironic that...

Presumably you're an admin though?

There's zero need for a standard user to be able to execute PowerShell. Decent Windows security people have been advocating disabling PS for users for quite a while. Likewise for VBA, and in fact all kinds of other stuff that comes with the operating system. This used to be called hardening, but is now just good security practice.

Cover your NASes: QNAP acknowledges mystery malware but there's no patch yet


Multiple problems?

As the person who's forum post is quoted in this latest Reg article, I think I might be suffering from a different, possibly older problem.

Several of the obfuscated .sh files I found were dated back in August. When the NAS was available on the internet. It stopped being directly visible around October, instead only allowing access via myqnapcloud.

Another interesting thing is that I wasnt running the latest firmware, but I'm pretty sure I would have checked it over the last few months via the admin web console. Along with this, the auto update check told me there was no new firmware available, when actually there was. I manually downloaded and updated the firmware the other day. Didn't fix the "wrong architecture" errors though.

Somebody from qnap support has apparently "delete[d] malware in the NAS QTS system" so I'll see later tonight if it's any healthier.

It is a few years old now but is apparently supported until some time in 2020. I just don't know if I trust it anymore. The whole point of having it was to get access to my stuff from anywhere with the minimum of hassle.

Windows 10 security question: How do miscreants use these for post-hack persistence?



Pretty sure that's on by default, and the machine will reject connections if the client doesn't support it or doesn't want to use it.

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)


Drive firmware updates?

I wonder if there'll be any firmware updates released, and if these will be able to fix the issue without effectively junking all the data on the drive.

I also wonder what the performance hit is of software vs on-disk-hardware encryption. Newer CPUs have AES instructions built in so unless your processor is already running at 100% it presumably won't be too bad?

BitLocker documentation is here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdeosd

I imagine you'd have to decrypt then re-encrypt the drive after changing this setting, which would be somewhat time consuming.

It'll be interesting to see if/what guidance Microsoft produce on this topic.

Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia)


BIOS and other firmware updates are actually released fairly frequently, by decent manufacturers. Particularly BIOS since the spectre/meltdown thing kicked off.

My aging Dell laptop is up to BIOS version A21, which averages to a release every 4 months. The latest version was released in March, which is pretty impressive for a seven year old machine with no hardware support contract.

People actually bothering to install these updates happens much less frequently. Which is a shame because they often fix quite serious stability and data corruption issues, not to mention security.

Cybercrooks home in on infosec's weakest link – you poor gullible people


At the university I used to work for, the spam filtering used to outright delete around 80% of the messages arriving for the domain and only very rarely did we get somebody complain that an email they were expecting hadn't arrived. That was about four years ago.

Stress, bad workplace cultures are still driving security folk to drink


Re: IT is not a healthy profession

I worked in an increasingly toxic IT department for a long time, hoping it would get better. When it got worse, and after a few months off work with stress (which did help) I started looking for a new job. After about a year of looking - I didn't want to jump out of one terrible organisation and into another - I found the right job, still doing IT, but for a smaller and much nicer place, with an easier commute, better pay, and far more career prospects.

If you're not enjoying it, leave! I should have left my old job ten years before I actually did. Don't try and change a toxic organisation, and definitely don't stay there and work yourself into an early grave supporting managers who don't deserve it.

There's loads of IT and security jobs out there, just find the one that's right for you. Recruitment agencies can actually help with this. (If nothing else, getting the occasional phone call from them when they find your CV helps boost your self-belief and self-worth).

Put your CV on a few of the big recruitment sites, and see what happens!

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher


1. Just because something is listening on localhost doesn't also mean it's listening on the machine's network IP address.

2. Most ISPs supply routers that have NAT firewalls enabled by default, so a machine listening on a private address behind one of those is unlikely to be accessible from the public IP address of the router.

3. If you're not banner grabbing how do you know what's actually listening?

4. I'm pretty sure ISPs do or used to do port scans of customer's public IP addresses, Virgin/Telewest definitely used to do that to me years ago. Does that still happen?

5. I'm slightly concerned that client side JavaScript could be scanning any local IP addresses on my internal network, and wonder what's the legitimate use for this functionality in a web browser? Seems like a drive by IoT disaster waiting to happen.

BlackBerry claims it can do to ransomware what Apple did to its phones


Only if it is run with an account that has sufficient privileges.

Who lets end users have admin rights these days? (Actually, plenty, sadly...)

Or doesn't remind users not to store their data on a network/cloud file server (where they definitely shouldn't have admin rights)?

Standard users can't remove VSS snapshots.



Rather like UEM then?

Been hoping that'll start working properly for two years now but new bugs keep on appearing. Current one is not being able to activate Android 7.1 devices. Oh, and another one is not being able to get app updates on some phones.

Plus it's Windows server software but for some reason they wrote it in Java, so it needs crazy amounts of RAM and is extra slow.

The features sound great on paper, and if they worked (as described, all of the time) it would be fine.

Very seriously considering ditching it.

New Zealand school on naughty step after ransomware failure


Windows has AppLocker (or Software Restriction Policies) but in my experience, few places bother turning it on.

Application whitelisting is just sensible, isn't it? Who wants any random code that they've not approved to run on their system?

I suspect it's not more widely used because of either ignorance (of its existence, or how to configure it properly) or laziness. Or because people think it's not necessary because how could they possibly be let down by all the extra security tech they spent £££££ on? "I don't need to close my doors and windows when I go out because I've got a burglar alarm"


Re: Surely...

Cloud storage (for users) tends not to use things like mapped drives, plus it tends to have file history features so even if your local files are encrypted and synced to the cloud, you can go back to a previous version.

No doubt somebody is working on a way to get around this though, but it'll be different for each cloud provider, assuming they have an API for accessing the type of features needed. Crypto malware has been trying to destroy local file history for years if it has sufficient privileges (i.e. user is logged on with an administrator account).

Shock Land Rover Discovery: Sellers could meddle with connected cars if not unbound


It's no different from any other tech

Yes it's a car, but how is this different to selling a phone, laptop, tablet, fridge or anything else with tech in it?

If I sell an Android phone, I need to make sure I remove my data and Google account from it before I sell it.

Ditto for any of the other items I mentioned. As a seller, I would want to do this, so I know my data has gone before the device leaves my ownership.

If I'm buying a second hand car I'm definitely going to be asking the retailer if any connected functionality has been correctly the reset and is ready for my use - before I buy the car.

Seems like the guy in the article failed to do that, and then got in a strop and blamed the vehicle manufacturer for his own lack of foresight.

If I bought a used iPhone and the previous owner hadn't wiped it properly, and I didn't check that before I bought it, how would that be Apple's problem?

Font of pwnage: Crims poison well with crypto-jacking code, trickles into PDF editor app


Re: "The whole exercise is a fine example of a supply chain attack"

Presumably the same thing could occur with the various package managers like apt or rpm? They seem to pull down a load of dependencies on the fly, so all somebody has to do is compromise some frequently used library package or whatever, and bingo.

We've also talked about dynamically linked JavaScript on websites, where the code is hosted elsewhere.

Seems like there are many opportunities for supply chain type problems to occur.

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise



You can help this situation by configuring a firewall on your file server to only allow connections from places you'd expect one to be inbound from.

You could also/alternatively use IPSec to limit what is able to connect to that sever.


Re: 2FA can be worse than just letting things be

You're clearly not going to like this, what with that hornet's nest in your collective bonnet, but that didn't sound unreasonable to me. Most places would have you use a 2fa code at every authentication. Once per 24hrs on non-school-owned devices seems fair enough. I'm kind of amazed that educational establishments still allow byod, what with the extra-sensitive nature of most of their PII.

Places of education tend to have terrible IT security, and this is exactly the type of reaction when anyone tightens it.

The other argument that gets used a lot to block security tech is "academic freedom".

Sadly, the rest of the world is slowly doing this shit, and you're no different. Even if you think you are. Sorry!


Re: No Lockouts? Really???


It'd be very easy to write a few lines of script that gets all the usernames from AD (readable by all users, and potentially even anonymously of you've not secured it) and then bang a password of "a" at each one until it locks, move on to the next and repeat.

Instant chaos. I'm amazed more people don't have this kind of problem with malware or when they get infected with remote access tools. Perhaps it's just one of those mass disasters waiting to happen...


The last thing I want is to have to cart around, keep charged, and generally take care of a second electronic device. Been there, done that, far too much hassle.

I'd be more than happy to use an app on my own phone as long as it doesn't drain the battery significantly, doesn't intrude when I'm not at work, and doesn't use noticeable amounts of data.

E.g. Google Authenticator. Or a text message. Or the Microsoft Authenticator app. I might be tempted by a Yubikey, but I can see that across a large organisation the rate of loss would be significant.

The beauty of allowing staff to use their own phones for MFA/OTP is that they tend to always have them with them, they're always charged, they know how to unlock them, and they tend to take a lot more care of them than a company device.

I'm speaking as somebody who tried a corporate phone and found it a massive pain, and as one of the people whove been managing the devices.

What is a shame is that Active Directory and Windows doesn't have some kind of MFA/OTP built in from years ago. I've yet to find a solution that I like the look of that works when the endpoint is offline and that is affordable.

Way back in the mid 90s I had skeys (one time passwords) for remote access to Solaris systems.

I doubt Microsoft will be changing their current plan of attack though, i.e. Windows Hello. Although they've got umpteen options for various other things these days, so maybe a simple pluggable authentication module to support a 6 digit code type of OTP will appear. Surely it can't be that difficult?

Friday FYI: 9 out of 10 of website login attempts? Yeah, that'll be hackers


Re: Another reason this is such a successful exploit

If the credential databases from multiple sites are stolen, they'll either include the email address in addition to the username, or people will use the same username on multiple sites.

It'll make some impact, but I don't think it's the kind of panacea that people make it out to be.

Plus, people forget them, leading to knock on issues with the site holder then having to have a "remind me what my sign in details are" feature, with all the score for abuse that brings with it.

Two factor, done right, all the way for me.


Re: password reuse

Other banks are available...

I believe that one of the top rated banks in the UK for customer service exists entirely online, not that I'm a customer, but perhaps you choose unwisely?

Brit tech forges alliance to improve cyber security as MPs moan over 'acute scarcity' of experts


Re: Why?

Exactly. And the certs are there too.

Tigerscheme's Qualified Security Team Member/Leader, Check Team Member/Leader, etc. Plus there are plenty of industry vendor certs from generic ones like CompTIA Security+ to more vendor specific stuff from e.g. Microsoft.

As has also already been mentioned, the problem is companies not actually coughing up to train people, then not employing enough of them, and not listening to them when they have employed them.

Schemes like Cyber Essentials Plus are helping make some companies comply with a basic security baseline, but it's not enforced across all companies yet, and it's scary how many applicants fail various bits of the testing. And those are the ones who are at least trying to be secure!

Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does


some older environments may end up at risk where there is poor security practice  – e.g.

...if there are network connected, unsupported or unpatched operating systems running.

TSB meltdown latest: Facepalming reaches critical mass as Brits get strangers' bank letters



If TSB hadn't been forcibly split off from Lloyds then this wouldn't be an issue.

Any large scale data migration is going to have problems. These problems are exacerbated due to money being involved. Hands up if you've done a data migration of this scale and had zero issues?

I feel rather sorry for TSB in some respects. Forced into existence, they hire a supposedly expert firm to manage their systems and data migration only to have it blow up in their face. So they're paying through the nose for IBM, and now they're having to deal with frauds, fines and legal nonsense too. And try and provide some kind of valuable service to customers.

Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup!


Re: Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself.

You don't get multi-factor authentication on old protocols like IMAP. Which to their credit, Yahoo have been strongly encouraging their users to turn off if they don't need it. Given that 99.99% of people just use a browser this is the right approach.

I used to use IMAP years ago (via a telnet client sometimes, ha!) but MFA is too useful a security measure.

Still not on Windows 10? Fine, sighs Microsoft, here are its antivirus tools for Windows 7, 8.1


E5 only

I'm pretty sure you can only get ATP if you have a Windows Enterprise E5 license. Which is a shame as that's not available to places with under a certain number of licences, or it's extremely expensive compared to E3.

ATP looks rather good, I have no idea why it's not being made more accessible to smaller businesses.

Acronis: Ransomware protection! Get yer free ransomware protection!


Veeam support head Gostev posted a month ago about a company that was hit with Cryptomix Arena, which encrypted all their file servers and VMs, called home, and then human beings manually deleted all their Veeam backups via Veeam itself including both local NAS copies and those in the cloud, then deleted the Veeam VM. The customer managed to recover some data thanks to storage snapshots, but I think I'd prefer some offline backups for peace of mind!

Wanna motivate staff to be more secure? Don't bother bribing 'em


Re: Dont' name and shame persistent offenders

Your ask yourself if you want to continue working there.

And/or talk to their boss and explain the situation, and then re-ask yourself if you want to continue working there.

You'll find your motivation for your job probably either decreased significantly, or, ideally, increased significantly.

Russia claims it repelled home-grown drone swarm in Syria


Flashy drones


All the flash but without the bang.

Tenable's response to folks upset at AWOL features: A 150-emails-a-minute spam storm


Re: Someone has shot themselves in the foot

So what else is out there? Aside from OpenVAS, which I've heard of but not used.

Somebody commented by saying that there are loads of alternatives, but conveniently mentioned precisely none of them.

Don't care if it's paid or free, but it needs to be good and to "just work".

Thank you!

Intel Management Engine pwned by buffer overflow


Please explain

How is Google's plan of using Linux instead of Minix any better? Am I missing something?

Want to get around app whitelists by pretending to be Microsoft? Of course you can...



A different type of whitelisting, but works well enough to stop people (non-admins) running stuff you've not approved.

Except it now doesn't block PowerShell, and worse, lies and tells you it has in the event log. Disappointing.

Everybody without Android Oreo vulnerable to overlay attack



Are advertising their Android phones in part by stating their "pure Android" nature and that they'll get regular security updates. Specs aren't bad either, my partner bought a Nokia 8 yesterday and it's rather nice - considering getting one myself.

My HTC One M9 is still on 7.0 April 2017 security update.

It'll be interesting to see how many other manufacturers start to jump on the "pure & secure" (tm) bandwagon.

Tech firms take down WireX Android botnet



"the attack vector has been patched by Google"

... but that patch will not ever be deployed to 99% of devices.

They really need to sort out the update mechanism for the OS itself. We all know most manufacturers/carriers don't send them out.