I thought I’d lead you on a backward journey to explore some of my favorite posts. Just for fun, notice the year some of these posts were written.
I’ve picked several posts that are a bit different from each other. Most likely, you haven’t seen most of these posts.
Filed under ACL, Audit, Case Files, How to..., Humor/Irony, Quote of the Weak, Security Scout, Technology
This time, it was my turn to call someone for help.
The phone rang half a ring before I heard a familiar “Hello?” on the other end.
“Hi, James, it’s Mack. I need a favor from you, and I need today, before 5 pm.”
“Not urgent, huh?”, James teased.
“Not really, I just need it today. And I need you to keep it quiet,” I warned.
This is the second post in a series. See Behind Locked Doors: Part 1.
Filed under Audit, Case Files, fraud, Security, Technology
And in unprotected documents.
Lots of passwords. Lots of documents. Lots of easy access.
Filed under Audit, Humor/Irony, Security
I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.
I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”
There goes the afternoon.
Filed under Security, Security Scout, Technology
If you enter a password into a login box and your password disappears, look for it!
I’m serious, because it happened again today. Not to me, but to my colleague.
Filed under Security, Security Scout
Twitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.
Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.
A library near me implemented self-checkout stations that use touch screens that make it easy to lose your password.
Those of you who’ve been around might remember I have written before about libraries and how I’ve found questionable security.
So how do you lose your password?
Filed under Security, Security Scout, Technology
According to the following article, the cloud is safer because the cloud data center is bigger than yours and has better fences. Oh, and passwords need to be hard to use so that others can’t use them.
Filed under Quote of the Weak, Security, Technology
During an audit, I had a vendor provide me with access to data I shouldn’t have, no questions asked. I didn’t ask for the access, I just needed some information for my audit.
The audit involved checking some vendor software to determine whether it is patched by IT on a regular basis. I obtained from IT a screenshot of the version number of software that was installed, but needed to know the last couple of versions released by the vendor. The admin was going to send me the URL because he said I probably wouldn’t find it the info on the vendor’s site. After a couple days of waiting for the URL, I took matters into my own hands and went to the vendor’s website.
Filed under Audit, Case Files, Security, Security Scout
A lot of company data is lying around unprotected, making it very easy to steal. No, I’m not talking about picking up other people’s documents at the printer. Stealing printouts isn’t hard, but it can be risky, especially if the printer is a busy one. Besides, it has 2 other problems:
There’s a much better way that is fast, easy, simple, raises no suspicion, and is basically impossible to detect, if you do it correctly. Can you think of what it is?
A friend of mine received the following email on Friday, 2 full days after the LinkedIn attack was made public, titled “Important update regarding your LinkedIn password”. Here’s the text she received, addressed to her by her first and last name:
[see UPDATE below]
Filed under Security
When you use a shared PC, sometimes you get to share other people’s passwords. Especially when people are kind of led to believe they’re safe.
I was wandering around the security landscape last week and was at a client’s business which is quite large and has kiosk PCs for employees and visitors to use to access the open Internet (they lock social networking and other stuff down pretty tight on the business network, so usually you see lines of people tapping away at the rows of kiosk PCs).
Filed under Security, Security Scout
On 4/13/11, WordPress announced it suffered a root-level hack of their servers and that “anything on those servers could have been revealed.”
Nothing is said about WHEN the hack occurred. From experience, I can tell you that you generally don’t announce a security incident until you’ve investigated it thoroughly, and that can take at least a day, sometimes more, depending on whether you have experts in-house or can get them in a hurry.
This attack directly affects only blogs or accounts hosted by WordPress (in other words, your blog URL ends with “wordpress.com”. If you host your own WordPress blog, you are indirectly affected. How? Since WordPress source code may have been compromised, attackers may be combing through it to find vulnerabilities that will allow them to attack any blog running WordPress, regardless of where it’s hosted.
If you have a blog or account that is hosted at wordpress.com, at least do the following immediately:
I found some really pathetic password help pages on a company’s intranet while I was there visiting.
This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”
Filed under Audit, Humor/Irony, Security, Security Scout
I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!
Filed under Humor/Irony, Security, Security Scout
I have heard enough about how security practices keep users from being productive. I constantly hear people complain about the evils of complex passwords (or any password on a smart phone), password expiration, encryption, web filters, lack of admin access on laptops, etc., and how they are such a drag on user productivity and the bottom line.
Filed under Security
I’ve been absent from the blog lately due to a number of pressing projects, one which was rebuilding a friend’s Windows XP box after a trojan massacre (and I thought only auditors stabbed the wounded — you should have seen the legions on that box).
When I delivered the newly minted OS and applications, my friend informed me that another set of email spam was sent from her Hotmail account at 3:20 am that morning. She asked me whether I was working on the PC at the time. I told her that not only was her PC turned off at that time, it was unplugged.
Filed under Quote of the Weak, Security
Whether you’re new to this blog or not, you might have missed a few good posts. Here’s some links and short descriptions.
Schneier’s Security Trade-offs – Security expert Bruce Schneier’s 5 questions for assessing the security process of anything.
Filed under Humor/Irony, Security
I ran across Tom Olzak’s post where he quotes from an SANS article by Daniel Wesemann, Password rules: Change them every 25 years. I disagree with both of them on a few points.
First, Olzak notes in his introductory paragraph that
Filed under Security
I know a lot of you are security conscious and some of you even roll your eyes at clueless users who seldom think of security. But how many of you regularly use an account on your home or work computer (or both) that have administrative or root privileges?
Most of you KNOW that using an account with privileged access on a daily basis to create documents, read email, and surf the web , etc., is a bad idea. Perhaps you think that because you’re more security conscious and more careful that it isn’t as much of risk for YOU. Continue reading
Filed under Security
A couple of weeks into a new job, I was told that I was now in charge of the Internet firewall. I suddenly realized I had two major problems:
Filed under Security, Security Scout
While I realize many bloggers do “Quote of the Week,” it was Audit Monkey who gave me the idea. Here’s my very first quote:
Who uses special characters in passwords? Nobody does that.
Filed under Quote of the Weak, Security
My last post, Password, Password on the Wall, triggered a memory of another password issue I stumbled upon some time ago.
I had flown across the country to help a fellow system administrator upgrade some of his applications. At one point, we left the data center and ventured out to the factory floor to fix a botched client software installation.
Filed under Security, Security Scout
Okay, so you’re not up to a wastebasket audit? Too demeaning, too sneaky, too many sticky candy wrappers? How about a simple server share audit?
Many companies have shared drives, and then they have “over-shared” drives, those locations where anyone who needs a space to store files that they share with a couple departments. Or perhaps your company just doesn’t lock their shares according to the least privilege principle.
Top 100 Network Security Tools is the third article in a series on audit and security tools. The first article, How to Stay out of Jail, stresses that you need a GOOJ card before you use any security tools or techniques. The second article, What Needs to be on a GOOJ Card, outlines how to create a GOOJ card.
Key point: Never use security or cracker tools on networks or devices from your employer or that you do not own unless you have permission in writing.
In this article, I describe a few security tools that I believe every auditor or security analyst should be familiar with, or at the very least, be aware of.
No, I’m not suggesting that you don’t answer your phone. Just be careful what you do or say when you are called or contacted.
What am I talking about? A principle I refer to as the CONTACT principle, which will keep your private information private:
Filed under Security, Security Scope
ITauditSecurity 