This time, it was my turn to call someone for help.
The phone rang half a ring before I heard a familiar “Hello?” on the other end.
“Hi, James, it’s Mack. I need a favor from you, and I need today, before 5 pm.”
“Not urgent, huh?”, James teased.
“Not really, I just need it today. And I need you to keep it quiet,” I warned.
This is the second post in a series. See Behind Locked Doors: Part 1.
And in unprotected documents.
Lots of passwords. Lots of documents. Lots of easy access.
I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.
I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”
There goes the afternoon.
If you enter a password into a login box and your password disappears, look for it!
I’m serious, because it happened again today. Not to me, but to my colleague.
Twitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.
Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.
A library near me implemented self-checkout stations that use touch screens that make it easy to lose your password.
Those of you who’ve been around might remember I have written before about libraries and how I’ve found questionable security.
So how do you lose your password?
According to the following article, the cloud is safer because the cloud data center is bigger than yours and has better fences. Oh, and passwords need to be hard to use so that others can’t use them.
During an audit, I had a vendor provide me with access to data I shouldn’t have, no questions asked. I didn’t ask for the access, I just needed some information for my audit.
The audit involved checking some vendor software to determine whether it is patched by IT on a regular basis. I obtained from IT a screenshot of the version number of software that was installed, but needed to know the last couple of versions released by the vendor. The admin was going to send me the URL because he said I probably wouldn’t find it the info on the vendor’s site. After a couple days of waiting for the URL, I took matters into my own hands and went to the vendor’s website.
A lot of company data is lying around unprotected, making it very easy to steal. No, I’m not talking about picking up other people’s documents at the printer. Stealing printouts isn’t hard, but it can be risky, especially if the printer is a busy one. Besides, it has 2 other problems:
- Your chances of picking up confidential data are low at any given time.
- The person will look for the printout and wonder what happened to it.
There’s a much better way that is fast, easy, simple, raises no suspicion, and is basically impossible to detect, if you do it correctly. Can you think of what it is?
Here’s my list of IT/security basics that I think IT auditors ought to know. If you can’t understand and audit these items, you do not know enough about technology to avoid having the wool pulled over your irises (not matter how good an auditor you are). The list is in no particular order.
If you’re a CISA or CISSP and you don’t know the following, I think you have some work to do.
On 4/13/11, WordPress announced it suffered a root-level hack of their servers and that “anything on those servers could have been revealed.”
Nothing is said about WHEN the hack occurred. From experience, I can tell you that you generally don’t announce a security incident until you’ve investigated it thoroughly, and that can take at least a day, sometimes more, depending on whether you have experts in-house or can get them in a hurry.
This attack directly affects only blogs or accounts hosted by WordPress (in other words, your blog URL ends with “wordpress.com”. If you host your own WordPress blog, you are indirectly affected. How? Since WordPress source code may have been compromised, attackers may be combing through it to find vulnerabilities that will allow them to attack any blog running WordPress, regardless of where it’s hosted.
If you have a blog or account that is hosted at wordpress.com, at least do the following immediately:
I found some really pathetic password help pages on a company’s intranet while I was there visiting.
This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”
I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!
I have heard enough about how security practices keep users from being productive. I constantly hear people complain about the evils of complex passwords (or any password on a smart phone), password expiration, encryption, web filters, lack of admin access on laptops, etc., and how they are such a drag on user productivity and the bottom line.
I’ve been absent from the blog lately due to a number of pressing projects, one which was rebuilding a friend’s Windows XP box after a trojan massacre (and I thought only auditors stabbed the wounded — you should have seen the legions on that box).
When I delivered the newly minted OS and applications, my friend informed me that another set of email spam was sent from her Hotmail account at 3:20 am that morning. She asked me whether I was working on the PC at the time. I told her that not only was her PC turned off at that time, it was unplugged.
Whether you’re new to this blog or not, you might have missed a few good posts. Here’s some links and short descriptions.
Schneier’s Security Trade-offs – Security expert Bruce Schneier’s 5 questions for assessing the security process of anything.
I know a lot of you are security conscious and some of you even roll your eyes at clueless users who seldom think of security. But how many of you regularly use an account on your home or work computer (or both) that have administrative or root privileges?
Most of you KNOW that using an account with privileged access on a daily basis to create documents, read email, and surf the web , etc., is a bad idea. Perhaps you think that because you’re more security conscious and more careful that it isn’t as much of risk for YOU. Continue reading
A couple of weeks into a new job, I was told that I was now in charge of the Internet firewall. I suddenly realized I had two major problems:
- I did not know squat about firewalls.
- I did not know the firewall password.
While I realize many bloggers do “Quote of the Week,” it was Audit Monkey who gave me the idea. Here’s my very first quote:
Who uses special characters in passwords? Nobody does that.
My last post, Password, Password on the Wall, triggered a memory of another password issue I stumbled upon some time ago.
I had flown across the country to help a fellow system administrator upgrade some of his applications. At one point, we left the data center and ventured out to the factory floor to fix a botched client software installation.
Top 100 Network Security Tools is the third article in a series on audit and security tools. The first article, How to Stay out of Jail, stresses that you need a GOOJ card before you use any security tools or techniques. The second article, What Needs to be on a GOOJ Card, outlines how to create a GOOJ card.
Key point: Never use security or cracker tools on networks or devices from your employer or that you do not own unless you have permission in writing.
In this article, I describe a few security tools that I believe every auditor or security analyst should be familiar with, or at the very least, be aware of.