If you know me, you know I am interested in computer security. Well, I just came across a book that, in my opinion, should be required reading for everyone using the Internet.
The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime
Scott Augenbaum worked as an FBI agent investigating cybercrime for nearly 20 years. He is now retired, and written a book describing steps you can take to protect yourself from cybercrime.
In his quest to become knowledgeable about cybersecurity, Scott trained for and received numerous security certifications. So, from an academic standpoint, he knows his stuff.
But, where the book really shines is the perspective it brings. Scott has investigated more cybercrime in his life than most of us will ever see. The stories he tells widens our perspective about what cybercrime really is.
Based on his experience, Scott then carefully selects the steps you can take to protect yourself from the cybercrime he investigated. The part that I appreciate most is his selection of actions. It is small enough to be doable, but secure enough to be effective.
Have you ever been in Windows, and said “Darn, I wish I could run (enter your favorite Linux tool that isn’t in Windows)”. Well, create yourself a Linux VM! Get the benefits of Linux AND Windows with a FREE virtualization tool called Virtualbox.
I’ve been programming in Go for more than 3 years now, so I decided to do a presentation about Go. Here is a presentation I gave last spring at OAUG, and repeated for NWOUG.
Golang is a relatively new language from Google. It features: Concurrency. Emerging web technologies. Fast compiles. Statically-linked binaries. Cross platform. Really fun too.
Earlier this month, I did a Lunch-n-Learn presentation for the Northwest Oracle User Group.
To secure your Oracle databases, you need to secure the underlying operating system. Security experts agree that minimizing the software installed on your system will improve your security; it’s fewer places for hackers to penetrate your systems. So, how hard is it to run Oracle 12c and 11gR2 databases on Linux with the minimum RPMs installed? Come see! Come learn about the Linux minimum RPM installation, Linux firewalls, and how that affects running your Oracle databases. You will be pleasantly surprised.
At the Fall 2014 Northwest Oracle User Group conference, I did a presentation about Oracle Enterprise Manager 12c.
OEM 12c has a much different architecture than 11g, and it is *so* much better. ITIL-like event management, pluggable target types, a new security model, etc. Wow – not just a face lift! Come and see Oracle’s latest monitoring and management technology and hear about best practices for implementing.
Mandiant incident responders have already identified successful attacks in the wild by targeted threat actors.
And, to top it off, the New York Times article Heartbleed Highlights a Contradiction in the Web is a very troubling and accurate article highlighting some very serious issues with open source: the funding (or more accurately, lack of funding), and the quality assurance process. It is an indictment against anyone who uses open source software, but does not contribute to the project (like me). Mea Culpa. But, I have lots of company: there are lots of for-profit companies that use open source technologies in their commercial products, but do not contribute.
Heartbleed is the rage. Everybody is talking about it. OK, ok. So, I need to write something. Here is the results of my research about Heartbleed:
Make sure your computers, smartphones, and tablets are patched.
Apple products do not have the vulnerability, so they don’t need to be patched.
I can’t figure out if Windows products need a patch or not. Probably should, just in case.
If you are running Windows XP, you should consider upgrading or switching because there are no more patches for Windows XP: Windows XP is a bigger hacker threat than Heartbleed. I personally believe this is a worse security problem than Heartbleed.
If you are running Windows XP, and are tired of paying for new software, you could check out Ubuntu. It won’t run Windows programs, but it is a very friendly version of Linux, and almost all of the software on it is free, including Thurderbird email, and the LibreOffice office suite (word processing, spreadsheet, and presentation software, supposedly compatible with their MS Office counterparts).
After the dust settles, plan to do some password changes and credit card number changes. Here is the easiest way:
1) Get a new credit card.
2) Review your old credit card statement, and make a list of all automated charges.
3) Go to the websites to change the credit card number for the automated charges.
Make sure the website is not vulnerable. The Forbes article tells you how (They may have a public statement on their website, or you can contact them to check.)
Change your password.
Enter your new credit card number.
Save your changes.
4) Repeat until you’ve fixed all the sites where you have automated charges.
5) Cancel your old credit card.
If you have a hard time thinking up a new password, you can get a password manager to do it for you: The Best Password Managers
If you use a mobile device (tablet, smartphone), make sure whatever password manager you choose has mobile support.
When you want to go to a new site, that doesn’t know your new credit card number, just do step 3.
It’s a pain, but that way, it doesn’t matter if anyone knows your old credit card number or not – it’s not valid anymore.
Techno-geek details:
The people who found the vulnerability give a great amount of detail here: The Heartbleed Bug
On the server side, a lot of people are racing around, trying to figure out if their products and websites are vulnerable, and scrambling to install fixed versions of software. Older products and websites are not affected. We actually have one client (who shall remain nameless) that installed an older version of their VPN gateway, so they would not be vulnerable. For people who are managing servers and websites, it is a big deal and a big pain.
This came through the bugtraq mailing list yesterday.
Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the ‘People You May Know’ mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users.
With attacks being on the rise, Facebook is often targeted by hackers for the information it possesses. Users rely on Facebook to maintain their privacy to the best of Facebook’s ability.
To execute the attack, an attacker needs to create a new user on Facebook, and send a friend request to the victim. The victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may know, with the option of clicking a ‘see all’ button for convenience. The people suggested at this point are the friends of the user to whom the attacker sent a friend request, even when the friends list of the victim is set to private, and the other suggested users also have their friends list private.
FB responded that:”If you don’t have friends on Facebook and send a friend request to someone who’s chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone’s complete friend list.” However, research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls.
Since this vulnerability renders the privacy control to hide friends lists from other users irrelevant, we hope Facebook will change its mind and this flaw will be addressed.
Irene Abezgauz, VP Product Management at Quotium and Seeker Research Center leader is credited with the discovery of this vulnerability.
Here are some notes about CryptoLocker from Pete Beebe, one of my colleagues at Jibe Consulting:
A Malware virus has been making the rounds recently that folks should be aware of.
This particularly nasty malware virus is packaged as an attachment in an e-mail sent from a supposedly reputable vendor such as FedEx, UPS or DHS. The e-mail is designed to mislead the reader into downloading the apparently harmless attachment zip file.
Once downloaded and installed this “CryptoLocker” application proceeds to scan and Encrypt as many common files as possible, even those on network file shares accessible from the computer.
The malware application then pops up a Ransom message informing the computer user that their files are encrypted and inaccessible until money is paid to unencrypt the files. If the computer user fails to pay the ransom in 4 days then the private encryption key is deleted…..making all encrypted files inaccessible and useless.
As you can surmise, in a business environment this can be disastrous.
What can you do to prevent this?
Be vigilant regarding what e-mails and attachments you open. If suspicious, always look at the e-mail address and try to determine if the address is legitimate. Even this isn’t foolproof given that spammers can easily spoof the e-mail address. Notify the Help Desk if in doubt. We are willing to review any suspicious e-mails for you if you do not feel confident in their legitimacy.
If an e-mail represents itself as a legitimate business and has links embedded in the e-mail, mouse over the link and look at the pop-up showing the web address the link refers to. Most legitimate business related e-mails have a linked web address that can be traced back to their official web-site. If URL link doesn’t match the official website of the e-mailer then don’t click on it.
If an e-mail is received from a known business associate but still looks suspicious, e-mail them back asking for confirmation or pick up the phone and speak with them to obtain confirmation that the e-mail was indeed sent and legitimate.
Do not use company equipment and network access for personal use. This will not completely eliminate the risk but can dramatically reduce the chance of infection. Those family e-mails or friend’s pictures from last night can wait until you are at home and on your own computer and network.
I was attending the NorthWest Oracle Users Group meeting on Monday. At the beginning of the conference, there was the usual conference business and announcements. The speaker announced that the 1:00 PM technical talk was cancelled due to illness. I looked at the schedule, and thought: Dang. There is nothing else that I want to attend at 1:00 PM. What am I going to do? Probably some of the other people at the conference felt the same way too.
Then, I had a crazy idea. Why not create a database security presentation, and present it at 1:00 PM? I suggested it to my colleague Kelly Gallagher. Kelly is on the board of the NWOUG. She thought it was a great idea. What is the title? How to Protect your Oracle Database from Hackers. Oops. Now, I was on the hook for creating and delivering a presentation about database security in less than 4 hours.
Well, I did it. Here is the presentation. Some people seemed interested. Anyways, here is the presentation. Kelly said three people commented, and said the presentation was excellent.
Today, I was working on an issue at a client site. I was given a Windows domain account and a personal certificate to login to their VPN. I don’t know how the Windows domain account was created, but I’m assuming that it was nothing special.
Once I connected to VPN, I Remote Desktop’ed into the Windows server with my Windows domain credentials, and started working the issue. I began looking around. I found some errors, and had some emails back and forth with the client to work the problem. Eventually, I discovered that I was working on the wrong server. Oops.
I was grousing over the fact that the client hadn’t given me the correct server info or account login info, when all of a sudden, it hit me: without the correct server or login info, I was able to login to a Windows server, and do work. Could I login to ANY Windows machine with those Windows domain credentials?
Well, it turns out that the answer may be YES, unless additional explicit setup is performed by your Windows administrator. In fact, it not only affects Windows machines, but potentially, any server or service you have authenticated by Microsoft Active Directory (AD):
Windows machines.
Linux machines.
Oracle Hyperion installs.
Oracle Business Intelligence EE.
Oracle E-Business Suite.
Oracle RDBMS (for enterprise users).
Oracle Fusion Middleware.
Web servers in general.
Etc.
For Windows machines in general, you need to consider:
Authentication: Windows domain accounts.
Access Control: Some additional access control mechanism (unless you want all Windows domain users to be able to access all your Windows machines).
Not only does it affect Windows, but I can also affect anything that relies on Microsoft Active Directory for authentication. All software and operating systems want to integrate with Microsoft Active Directory for authentication. It’s wonderful – you get to use the same username and password everywhere, have a central point of administration for account management, etc.
But, to make a secure Microsoft Active Directory integration, you need to consider:
Authentication: Integration with Microsoft Active Directory for authentication.
Secure communication: SSL on the connection between your service and your Microsoft Active Directory domain controller, otherwise, you may be transmitting passwords in cleartext over the network, depending on how the authentication occurs.
Access Control: Some additional access control mechanism (unless you want all Windows domain users to be able to access your service).
I think the main message is that you need to separate the concepts of authentication and access control, and remember that by default, Microsoft Active Directory only takes care of the authentication part. It does not, by default, take care of the access control part, and the access control part is really critical too.
Some things that you integrate with Microsoft Active Directory may not grant access for an authenticated user, unless there is also explicit access configured. That would be good. So, the problem does not affect everything. It only affects those things that, by default, grant access for authenticated Windows domain users (like Windows machines…).
I am not a Windows expert, so I contacted the Internet Storm Center for clarification. Some very kind folks at the Internet Storm Center responded. In the order received:
From Guy Bruneau:
I’m no expert on Window AD account restriction but I know you can restrict access to certain boxes via AD. Other Handlers that administer Windows server might answer your question with more details.
From Mark H:
Hey Jeff, It is normal behavior in Windows world, but you do not have to live with the default behavior. What we usually do is change what devices the account can log onto. In AD you can specify exactly which servers the account can log onto. That restricts these kinds of issues and you would have only been able to work on that one device.
From Rob VandenBrink:
You typically need to grant RDP access, but in a lot of cases the users are domain admins, so access isn’t a problem. There are multiple access control methods – a few are outlined here:
http://technet.microsoft.com/en-us/library/cc753032.aspx
http://support.microsoft.com/kb/290720
But your other observation is spot on – if you have a working account, it’s a great foothold – it’s very common to find “normal” AD users with all sorts of permissions they shouldn’t have.
From Russ McRee:
Granular access and provisioning can (should) absolutely be achieved with Active Directory. Users and machines can be encapsulated in Organizational Units (OUs) and permission established for specific systems granted via membership in security groups. Sound like the folks who gave you access have a flat unstructured domain environment where in everyone with an account has access to everything. Easy to do, sadly common, but not recommended.
From Chris Mohan:
>>>I am curious: do normal MS administrators consider limiting access when they create MS AD accounts?
It should be standard practice is to define an account that has access only the resources the party has to interact with. That understanding is part of any Ms training and documentation on the topic. I can attest it’s drilled in to anyone taking Ms training, qualifications or that’s read any of the Ms best practice papers.
>>>If MS AD authentication = access, then having an MS AD account grants you a lot of access.
Only if misconfigured by the administrator to allow excessive, unnecessary permissions. Sadly this is a general problem, seen commonly across the IT space. Someone running a system or network handing out admin/Root level access “because it’s easier that way” or they simply don’t understand the risk of providing that level of control.
I’d submit that the administrators of that environment hadn’t followed standard, basic security practices for least privileges and limited, defined access, if they only meant for you to work on one server, rather than a group of them. I’d gently bring this up with the client as they may not be aware of this security misstep.
My colleague at Jibe Consulting, Pete Beebe, our Windows admin, wrote this:
No unless the domain administrator explicitly allowed ‘log on to server’ permissions for the AD account that you were using. Normally the ‘log on to server’ policy is included in the Remote Desktop Connection security group. If an account (other than administrator) is not added to the proper security group then logon access to the server is denied. As noted by your later e-mail, it is also possible to explicitly define the server(s) that an AD account can logon to. This combined with the local policy setting (for non-domain servers) and Group policy setting (for Domain member servers) would determine the accessibility of the AD account you’re using while on their network.
I also received a response from David at the Microsoft Security Response Center:
Presumably the client created an AD account with access to more than one server. Unless they specifically lock you out of other machines on that domain, you will have access.
So, consider carefully how you setup Windows domain accounts and security. You may be accidentally allowing more access that you bargained for.
P.S. If you’re a Windows administrator, and you see something that needs correction or clarification, please add a comment!
Recent Comments