* Posts by Amos1

203 publicly visible posts • joined 9 Feb 2014


More Salt in their wounds: DigiCert hit as hackers wriggle through (patched) holes in buggy config tool


Wow, snarky and pointing the finger away from themselves all in one sentence?

"The company added: "Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability.""

Shouldn't that line read:

The company added: "Companies who have followed fundamental internet security guidelines and best practices will not have clients affected by this vulnerability."

Call us immediately if your child uses Kali Linux, squawks West Mids Police


Re: Be a government informer! Betray your family and friends! Fabulous prizes to be won!

It turns out that my elementary school teachers were simply referring to the Internet almost three decades before it went mainstream.

Train-knackering software design blunder discovered after lightning sparked Thameslink megadelay


Re: Load shedding?

Let's not forget that FirstEnergy had a direct, unfirewalled T-1 connection to their internal network with a vendor who got a Blaster infection. Blaster spread across the T-1 to the FirstEnergy internal network and clobbered a bunch of systems including monitoring systems.

At the time I worked in the city next door to Akron, OH, where FirstEnergy's headquarters were located. When our data center cut over to UPS and the entire company headquarters went dark, we hurriedly patched what we could for Blaster. Yes, we had our own Blaster infection going on because our non-technical CIO banned most patching because it "interfered with getting work done."

Why "what we could"? Because our non-technical CIO thought a 15-minute UPS capacity was good enough for anyone and we had no generator despite being multi-national corporation hosting SAP for worldwide operations. Four months later we had a generator.

He would not let us buy LCD monitors or KVMs because they were too expensive. So we had a bunch of old CRT monitors on all of the servers. Turning those monitors off bought us another five minutes of battery power.


Re: and basically impossible to test for.

My favorite was to enter an Alt+255 sequence on the numeric keypad while typing in an app's field or free form text field. That enters a NULL character. I used to use it in my passwords instead of a space.

I once did that on a new database app and it was unrecoverable for some reason. I mean unrecoverable as in they had to restore the database from a backup. Once their app tried to read the high ASCII it barfed all over itself. Fun times. :)

BOFH: On a sunny day like this one, the concrete dries so much more quickly


Informal poll on whether you've ever had to do something like this

If you've ever had to do what they described (resurrecting an ancient system, NOT knocking off auditors), click the Up Arrow. If not click the Down Arrow.

If I could click my own posts I would, several times. The best one was when we had to bring up an old server in 2016 from an acquisition years before I started with the company. A Novell 3.11 server with the acquired company's financials.

We'll do the auditor poll another time.

A real head-scratcher: Tech support called in because emails 'aren't showing timestamps'


Witnessed it personally as well. The boss was a Ph.D chemist and absolutely brilliant (seriously) and was head of the company's large Research Center. He developed numerous well-selling chemical products still in use today in the polymers industry. But he just did not understand computers at the time (early 2000's). His AA printed out all emails and put them on his desk, he hand-wrote the replies and she then sent them.

Once he was at a remote plant and needed to use remote access to pick up emails because his AA was in another state and that location's fax machine was out of service. I was given the call when it came in of "can't connect". He was a great fellow so I liked working with him. This was a dial-up connection using a Windows 95 PC with a third-party dialer.

We started from scratch with me saying "Click on the Start button" followed by several seconds of silence followed by "Where is that again? As you know I don't use this thing very much."

I eventually got him connected and he thanked me for my patience. He then asked when I could spare some time to stop by the Research Center and give him some PC lessons. He said "I suppose these things are not going to go away." We laughed and I gave him the lessons.

A few years ago he sent me a message via LinkedIn from the university where he now leads the polymers science center and said "Hey, remember back when I couldn't find the Start button? I think I've got this thing figured out." followed by a smiley face.

I had not heard from him in years and I thanked him for the best laugh I'd had in a long time. And it was.

We dunno what's worse: Hackers ransacked Citrix for FIVE months, or that Equifax was picked to help mop up the mess


Re: Password spraying

"Two-Factor Authentication? We don't need no stinkin' Two-Factor!"


"Two-Factor Authentication? We use Two-Factor Authentication. We require both a Username AND a Password!"

Hey criminals, need a getaway vehicle? There's an app for that... Car share tool halts ops amid crime wave, arrests


I'm curious as to who is dumb enough to put a Mercedes, several Mercedes's apparently, on a what is effectively a short-term rental service.

Techies take turns at shut-down top trumps


Re: The problem with poorly located buttons

"To be honest, having a shutdown button right next to the door is always going to ask for trouble."

Indeed. If one wants to prevent accidental or malicious activation then design the shutoff like the nuke missile silos. Two keys required and separated by enough distance that one person cannot turn both at the same time. Perhaps one at each data center door. Problem Solved.

While this may cause other problems, my job was to fix the accidental or malicious activation problem.

Blue Monday: Efforts to inspire teamwork with swears back-fires for n00b team manager


Re: Managers looking good!

"For some reason it took managers always a couple of weeks to translate that to the correct eight letter word (junior devvers got it immediately)."

Management is the same the world over. As I'm nearing retirement I've been using www.timeanddate.com a lot. It has a date-to-date calculator and will automatically subtract weekends and US federal holidays, leaving "work days". I then subtract out unused vacation (holiday) and expected sick time leaving me the days I'll need to report to work.

When I finally got below one year I had this exchange with my manager, a company senior manager who had asked me for a year's notice (I was there a long time, understood a lot of the IT history and had a lot of tasks to transition):

Me: "I only have 300 days at work remaining before retirement."

He: "What? You only have 300 work days left?"

Me: "No, I have 300 days at work left. There is a difference."

He just looked very confused whilst all of the non-managers in the room immediately broke out laughing.

Oracle sued for $4.5m after ERP system delivery date 'moved from 2015 to 2016, then 2017, then... er, never'


A former employer did SAP right

Old, large diversified manufacturer with disparate lines of business from acquisitions and no ERP system. Nine financial systems, fifteen phone systems, etc.

Decided early on to modify company processes to match SAP regardless of the pain to avoid, at all costs, any software customization. It took two years to do that part, before the SAP implementation could actually start. Several older people left the company because of it. The 43-year-seniority Fixed Assets manager sat through the discussions and presentations on his area and then said "That looks great but I need all of the screens to look like this" and handed out printscreens of the current AS/400 green screen. Company regrouped and assigned three people to learn the fixed assets business and realized what a horrible mess it was (we were paying personal property taxes on equipment that had been disposed of years earlier kind of thing). Old manager was thanked for his years of service and got retired. Other stories were similar.

One major customer heard of the SAP project and summoned the division president to their headquarters. Customer read him the riot act about how how their business had been seriously damaged by other suppliers switching to SAP. Customer demanded three months of materials on site prior to the SAP cutover date, to be billed on usage (consignment). Our president readily agreed. Customer was very happy that we had agreed so easily and asked what the cutover date was. Our president replied "Three weeks ago." And it was.

It's all about whether a company says they want change or whether they really do want to change. Too often it's the former. We've all seen numerous examples of that behavior too often.

Wells Fargo? Well fscked at the moment: Data center up in smoke, bank website, app down


Re: The BOFH Strikes Again

We had an entire data center "go quiet" once for a semi-related reason. The EPO button (emergency power off or Big Red Button) can be wired one of two ways, normally closed or normally open.

Normally closed is similar to a light switch that is always on and flipping the switch kills the power. That's how this one was wired. Even though everything had preventive maintenance twice a year, "everything" did not include that 20 year-old push button and its wiring screws slowly loosened up.

Then one day someone came into the data center and when the door closed behind them, the door next to the Big Red Button, it got very quiet.

The electricians said someone had pushed the button and the person who walked in was worried he was going to lose his job, But the security cameras showed he was nowhere near it.

The EPO button is now wired as normally open...

If you wanna learn from the IT security blunders committed by hacked hospital group, here's some weekend reading


Re: show me the money

The opposite of security is not insecurity. The opposite of security is overly convenient.

The issues described in this article probably apply to 99.9999% of all IT systems operators in the world.

When I do interviews of prospective vendors I always ask the question "Do you have staff dedicated 100% to operational security (not including compliance) or is security everyone's responsibility?"

The competent ones answer "Both."

The dumb ones enthusiastically respond "No. Security is everyone's responsibility!"

When something is everyone's responsibility it's no one's responsibility.

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)


Give Adobe a break

After all, they had to push out yet another Acrobat and Reader emergency patch a few days ago.

Oh wait, they did push a Flash patch today: https://helpx.adobe.com/security/products/flash-player/apsb19-01.html

Jeep hacking lawsuit shifts into gear for trial after US Supremes refuse to hit the brakes


Re: So...

If I recall, a vendor left access open from the Internet in general to a system that was never supposed to be exposed to the Internet and they figured it out. I've certainly never heard of that being a problem before (vendor screw-up, no monitoring, ports left open) (rolls eyes).

Supernovae may explain mass extinctions of marine animals 2.6 million years ago


This 2006 book on the same subject is a fascinating read


It's still one I enjoy re-reading because of the way they wove the story. They tied physical evidence on earth to other evidence of a supernova causing an extinction-level event.

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage


Re: Offsite scripts GAH!

"...if its an even vaguely secure area no script that you have not copied locally and validated does what you think it does goes in, is this so hard to understand."

I'm not understanding how that matters. If the script links in external references the script can be benign when tested but not necessarily in the future.

Still relevant after all these years: Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.

I'm waiting for the Google Analytics site to get whacked, if just by a resource-consuming coding error.

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory


Re: Too much power

"I got to a human who said that if I'm NOT in the equifax or experian databases, they cannot prove I exist! (I am in the OPM as I had a security clearance, or I should be, anyway -..."

You could probably ask the Chinese government for an affidavit of your existence since they allegedly owned both Equifax and OPM.

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS


Re: It's time to start over

Let's not forget GUI's that let the unskilled call themselves "developers" and "admins" because they can drive a mouse. Or the proliferation of open-source code dropped into apps without nary a clue what is really going on inside those black boxes. Write once, hack many; the joy of code re-use.

Microsoft sysadmin hired for fake NetWare skills keeps job despite twitchy trigger finger


Re: Nothing beats them

Hmm, I've never referred to "coworkers" as "equipment" before but sure, that works.

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers


Re: Microsoft TMG and TLS support

TMG effectively went EOL years ago. If your company is still using it they are not interested in securing their data.

Solid password practice on Capital One's site? Don't bank on it


Working for a bank, I can assure you that is almost impossible. Why? Because pretty much every company makes all accounts available from the Internet by default. So if you don't use it someone else just might.

You also should set transaction alerts for the smallest allowable amount, usually $1 or $5 because you should always know when one of your accounts is used.

You can request that Internet access be disabled one account at a time but I've seen many an upgrade enable them without warning.

Back up a minute: Veeam database config snafu exposed millions of customer records


Re: Are they..

Anybody want to wager on whether the security people at British Airways suddenly lost interest in their work when they learned BA was talking to IBM about taking everything over? Particularly with IBM's reputation for massive layoffs?

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS


With proper change control processes it could not go live so the developers would not take the hit.

Just go DevOps and automate that upcoming breach.


Clearly the Marketing department does not run your company as it does in many if not most.

That or they are running websites that you don't even know exist. Having the IT Security function exclusively manage public DNS made us aware of a few end-run attempts like that.

Cock-ups, rather than conspiracies, top self-reported data breaches


We looked at a year's worth of outbound emails for the number of recipients. For business-related emails the max number of recipients was 7 so we set a limit of 10 maximum recipients per email. Others to church memberships, soccer leagues, baseball leagues and the like had dozens to hundreds. Those can't get sent using company email systems any more. All advertising, customer communications, etc. must go through a third-party mass-spammer and those are triple-inspected for format and content so there will be multiple, documented people to blame.

Event management kit can take a hammering these days: Use it well and it'll save your ass


Every time an auditor asks us how we monitor for after-hours activity I ask why that is important. I point out that the Target (department store) malware turned itself on at 9 AM and off at 5 PM so its activity could hide in the noise of the daily operations. I point out that people simply walk away from their computers at the end of the day rather than shutting them down as policy says because they're lazy and their managers don't care so we'll always have after-hours activity.

I point out that monitoring for failed logins is far less valuable than monitoring for successful logins because, well, a failed login has no access to data. I mention that what the audit department needs to get HR to inform IT Security of people's vacation and out-of-the-office hours during the workday so we can monitor for use of their accounts while they're not physically present.

The auditor will stare blankly at me and say that their procedure says we have to be checking for after-hours activity. I reply that people never logoff and leave the applications running so we have a lot. They are happy that we're monitoring and the item gets its check mark. Audit Passed.

DXC Technology asks field-based techies if they'd like to leave


Someone needs to better optimize and align their keyboard

"... better align and optimise in order to support our client base ob these digital journeys."

Yes, "b" and "n" are next to each other, at least on my keyboard.

Don't know if it's El Reg or DXC, though.

Oracle: Run, don't walk, to patch this critical Database takeover bug


Re: What?

Are you certain you have to be logged in? I've never seen a CVSS 9.9 that required authentication. Usually if it's above 7 or 8 then it's unauthenticated. I think by default that all users are granted CREATE SESSION. Also remember that Oracle has a long history of down-rating their vulnerabilities but man, there isn't much difference from the max of 10.0 and 9.9

I wonder if a web app could be used to exploit this unauthenticated. Web user hits login page, service account hits database, kind of thing.

OT, does anybody know why the maximum rating is 10.0 when it's impossible to have a 10.1? Seems silly.

Sysadmin sank IBM mainframe by going one VM too deep



Northgate Computer systems had the best keyboard I ever used. It was my first PC, a 386 with 1 MB of RAM and two, count them, TWO 65 MB RLL hard drives. It only cost me $3,495. I later upgraded it to 4 MB of RAM by replacing around thirty-two discrete integrated circuits so I could run DesqVIEW. I used that keyboard for years.


"Incidentally, since we call it a hash in the UK, but the Americans call it a pound and the social media companies are US based, why don't they call it a poundtag ?"

I was wondering why it's not called a dollartag in the U.K.

Similar to how we drive on the parkway and park on the driveway.

Timehop admits to more data leakage, details GDPR danger


Re: "by the time incident response processes kicked in"

I suspect you're assuming the stable door is in fact closed. Or closed but perhaps not locked. Deficient information protection practices are pervasive in companies.

Open plan offices flop – you talk less, IM more, if forced to flee a cubicle


Re: What about disturbing others?

Just a "foghorn leghorn"? Another lovely aspect of the open office plan is the male or female who slathers on so much cologne or perfume that I can't breathe even though they are several rows away. My manager is one of those.

Security guard cost bank millions by hitting emergency Off button


Is your EPO button NC or NO?

Emergency Power Off, Normally Closed, and Normally Open.

At the company where I worked (in the last two years) the data center once went Very Quiet (tm) and it took a while to figure out. The EPO button was properly behind a plastic guard and no one was within five feet of it when things went Very Quiet. It developed that the EPO button was a normally-closed button (think of a light switch where the light is always on). A break in the circuit would cause the EPO to engage.

Yeah, in decades of preventative maintenance no one had ever removed the Big Red Button from the wall to check to assure its terminals were still tight. Years of people walking past and slight vibrations had loosened the terminals so that the next vibration momentarily broke the circuit and down everything went.

The electricians said they had seen the Big Red Button wired both as NC or NO and it was our choice. We had it rewired as NO so you had to push the button to engage the emergency power off function.

'No questions asked' Windows code cert slingers 'fuel trade' in digitally signed malware


"Look at HTTPS compared to SSH. With SSH, no signed certificate is required. The first time you log onto a server you get a signature in your "authorized" store and if it subsequently changes, you know something odd (not necessarily nefarious) is going on and you can inquire."

When people visit hundreds of websites every day that method is completely unworkable, especially since much content comes from third-party sites and you never see their URLs in the browser. If the usual method to communicate a validity string, such as a SHA file hash, is to put it on the web page where a hacker could modify the binary and the hash value to match, it's of no value security-wise. It just assures you downloaded the backdoored malware intact. If you even bother to check the hash or SSH fingerprint.

And with the push to reduce the certificate validity period from two ears to one year or worse it's completely untenable. It only works for SSH because the certs never change, a risk in itself.

Windows Server 2008 SP2 gets new support model


Does support end on Jan. 1, 2020 or Jan. 14, 2020?

The article says the 1st but I know of more than a few companies that are figuring the date to be Feb, 11, 2020. That's the date of the first Patch Tuesday where there are no more free patches for Windows 7 or Server 2008.

If you want to strike the Fear of <insert deity> into someone, go to www.timeanddate.com, click on Date-to-Date Calculator, click on the "Count only workdays" link and then fill in the fields. (The link calculates US holidays; I do not know if it works in other countries).

As of today there are 397 workdays left to convert every one of your Windows 7 and Sever 2008 systems AND their applications to a newer version, a few more if you don't get all of the holidays. Presuming of course that your company cares about such things.

580 days if you work in a sweatshop.


Re: Rollups suck...

Oh, you mean like March 2018 where we could not deploy the sole patch because of how it massively screwed things up so we were pushed out of our "all critical patches within 30 days of release" compliance requirement?

Microsoft reveals which Windows bugs it might decide not to fix


Re: Pay more, get less

"If somebody has physical access to the machine, they probably don't need the exploit anyway."

The reality of malware is that there is almost nothing nowadays that requires true "physical access" and in the age of virtual machines it's even more true. As MS themselves once noted, if the bad guy can get you to run their program on your computer it's not your computer anymore.

"For example an escalation bug that can only be used when sitting at a machine and using a very complex set of criteria would affect practically nobody ...",

Not correct, not only because of malware (including JavaScript coming from hacked legit websites) but because one of the beauties of computers is that once someone has figured out how to do something evil, it's almost always trivial for the rest of the world to then do it.

Men are officially the worst… top-level domain


Throw in others and...

you'll have what companies are also seeing. Start with .stream and .pw

Some large companies are simply blocking all 1,000+ and allowing exceptions as needed. The new stuff is as big a cesspool as .info and .biz turned out to be. If you're a real company, don't even think about using .pro because the real "pros" have beat you to it.

G Suite admins need to RTFM – thousands expose internal emails


Is there a glossary? If so, how does it have "Public" defined?

Public: "The seven BILLION people on Planet Earth! No username or password required for anyone."

Citrix snuffs Xen and NetScaler brands


And they are now changing their corporate name!

To citrix.com in all lower case, of course.

Noise from blast of gas destroys Digiplex data depot disk drives


How do they know it was the sound and not the smell?

Perhaps it a former co-worker now works there. He could stop anything in its tracks with his gas discharge.

AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet



I had a serious fight to get HSTS and DNSSSEC implemented because Marketing was whining too loudly about the "What if..." nonsense. I won but I got scarred. Now we don't even bother to let them know unless they ask and being Marketing types they are totally inept technically so they never ask.


Re: A lot of sites still sport self-signed certificates

All a CAA record does is prevent non-listed Certificate Authorities from issuing a certificate for that domain. And as long as ID-10-T's want to save a few dollars and use Let's Encrypt, a CAA record authorizing Lets Encrypt effectively authorizes the world.

Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup!


So 1.1 cents per record

And they say that breaches are expensive.

IETF: GDPR compliance means caring about what's in your logfiles


So in the State of Nevada where the government wrote PCI into law, meaning you are obligated to comply with all provisions of the PCI DSS, it's OK to keep all of that data. Presuming you are subject to GDPR, of course.

Perhaps this could inspire multinationals to incorporate in Nevada instead of Delaware and move all of the headquarters to Las Vegas. Their travel expenses to junkets also would be reduced. Win-win!


"You can't possibly detect and investigate suspected breaches in three days."

Correct! That's the point. If you can't detect a breach it never happened and you do not have to disclose it. The GDPR lawyers actually were brilliant.

Gmail is secure. Netflix is secure. Together they're a phishing threat


Why should punctuation in a name indicate a different person any more than it does in real life?

"John Doe Jr" is the same as "John Doe Jr." in real life. "John J Doe is the same on any legal document as "John J. Doe".

Treating punctuation differently in email addresses is no different than typo-squatting a domain name except it's less obvious.

Gmail has been this way for years and other sites should follow their example on all new email addresses. We know what evil lurks on the Internet so let's close off the easy methods rather than relying on Grandma seeing that tiny dot in her email address which she never looks at anyway.

Microsoft Office 365 and Azure Active Directory go TITSUP*


There is no "cloud". It's just someone else's computer, as Orifice 365 definitely is.

My PC makes ‘negative energy waves’, said user, then demanded fix


"Roger"? The name should have been "Moriarity"

https://www.youtube.com/watch?v=ncbEucjsNFU - I'm going to have to watch Kelly's Heroes again tonight.