Monday, October 06, 2014

How To Foil Chinese Hackers

I saw the news article today where FBI director James Comey drew an analogy between Chinese hackers and drunken thieves.  If only there were a way to totally insulate one's self from attacks which emanate in hostile foreign countries.  </sarcasm>

If you have custody over a network with internet accessibility and don't have Country Blocking capabilities, get a new firewall that has this feature.  Sophos' UTM appliance is a good example.

Additional diligence by network administrators - especially when there is no legitimate opportunity or use case requiring access to or from China as an example - could render much of the discussion about Chinese hackers moot.

Looking at websites like Norse that do data visualization for internet attacks on an awesome, 21st century version of the "War Games" big map (see http://map.norsecorp.com), show that the U.S. is under constant attack from foreign countries.  Most attacks originate from predictable sources.  Blocking any and all communication to or from those countries with prejudice is pretty effective, and if we're honest, has very little downside to a vast majority of private network operators.

For our part, we have blocked incoming access from just about every country where we have no business interests (most of them), as well as outgoing access to many of those countries.  This limits the attack surface for compromising machines, and limits the ability of any compromised machine to communicate with whomever is controlling it if they're offshore.

In the movies, doing many hops between controlled systems to hide your tracks is made to look extremely simple - in reality, very few people have the time or inclination to pull this off.  They're usually looking for targets of opportunity - don't give them any, and they'll move along.

Wednesday, October 01, 2014

The Fallacy of "Secure Email"

We're having a rollicking good time lately working with emails that are coming to us using some form of "secure" delivery platform, as an alternative to actually encrypting email end-to-end, which everyone knows is not fun.

Some background...companies big and small are increasingly offering some sort of secure email feature, especially if you use cloud providers like Symantec, Mimecast, Microsoft's Office365, etc.

It sounds great - you don't have to do all of that pesky server configuration, etc., and you like your provider, so it'll be awesome, right?  The thing is, they don't actually encrypt email delivered via SMTP.  Which means, things are about to suck.

Set aside for a moment the fact that "secure internet email" is an oxymoron of nearly biblical proportions - if you don't host your own email, someone else is reading all of it; if you do host your own email, someone else is still reading all of it, but you at least know who that someone else is;  if you send email over the internet, someone else has read it - whether their geopolitical beliefs, conscience, and motives fit yours or not is scarcely relevant to the question of security.  Email isn't secure.  Never has been.

So naturally, if a company starts selling a solution to an impossible problem, someone is going to give it a shot.  After all, nobody ever went broke by underestimating the intelligence of the average consumer, blah blah blah.

How then, do you solve this impossible problem?  Simple, you lie.

When you compose and send a secure message through one of these platforms, the recipient doesn't actually get your message.  They get an email containing a link informing them that a secure email message with subject such-and-such is ready for them to view.  If they click the link, the friendly website will "securely" show them the sensitive contents.

....

Yes, you got it.  The recipient has to create an account the "secure email delivery" service's system.

Yes, they have to use the email address at which they received the message as their login ID.

Yes, they get to create their own password.

No, you don't get to make that password policy match your own.

No, you don't get to do single sign-on between their service and your authentication system.

No, you don't get to control how long those messages are stored on their service.

No, you don't get to lock out that account when the employee leaves your company.  Yes, if that person gets fired, they can still - potentially forever - get to the sensitive information that was sent to them, at the email address belonging to your company.

Yes, if an attacker had already compromised the recipient's mailbox or credentials, they would also have the ability to control the account at these services and gain unfettered access to this sensitive information.


Lots of unpleasant and colorful terms spring to mind as descriptors of what systems like this really are.

The recipients don't know any of this, and shouldn't have to.  They just need the information to do their jobs, so naturally they aren't very receptive to information security lectures by IT.  But we can't just roll our eyes and sigh and 'fix it' - this isn't fixable.  Using these stupid services wasn't our decision.  We have no control over it, we just know it is an absolutely terrible idea, is totally unsupportable, opens up dozens of new areas of risk, and adds zero value for all the effort.

There are, or may be, some services that bypass this patently idiotic system of creating additional attack vectors for identities altogether.  One interesting method is that the email is printed to a PDF, secured with a password, and delivered directly to the recipient.  The recipient would need to contact the sender for the password.  It's a far, far better idea - no third party websites or accounts to worry about managing, no transmission of information in clear text, an attacker with mailbox access wouldn't be able to see the contents without the password (transmitted by phone in-person), and even sysadmins wouldn't reasonably be able to see the contents on either side.

This would be a viable solution, but Microsoft doesn't offer this service to O365 customers (or anyone).  Their one redeeming quality, if you happen to be an O365 customer already, is that through Azure AD and Dirsync configuration, you can at least - sort of - do single sign-on management of login accounts used by recipients.  That of course assumes the recipient knows not to create a new Live ID when they receive an email, and have been trained on the (as of this time undocumented) steps to login with their company-managed account.

Many other banana-headed services that have barraged us lately don't offer secure PDF delivery either, unknowingly victimizing plenty of well intended but utterly ignorant companies buying the latest flavor of silicon snake oil.

And to think, there's so much opposition to teaching critical thinking skills in our public schools...


Tuesday, September 30, 2014

Microsoft Windows Phone 8.1's Insipid Keyboard

I can't believe how few search engine results there are for the question of how to disable the stupid, pointless, idiotic smileys / emoticons / emojis button on the Windows Phone 8.1 keyboard.  Typing using any method other than the swipe or tapatalk method is absolutely futile - it is the worst touch keyboard I have ever used, and matters aren't helped at all by the inclusion of a "smiley" key.

Located perilously close to the comma, shift, Z, and number shift key, the stupid "smiley" key pops up randomly - usually as I'm expecting a comma to appear, and given that I can type in excess of 80wpm, the result is a string of unintelligible miniature images that add absolutely no value whatsoever to adult businesspeople.  If the kids want it, fine, but why in the heck can we not turn it off - or download another keyboard 'language' that doesn't include this dumb thing?  Why is information on this question so hard to come by?

I know that Ballmer is gone now and that huge companies don't change overnight, but it's difficult to take seriously much of what Microsoft is trying to do as innovators when they don't take themselves seriously.

Monday, September 15, 2014

Eulogizing the Luddite

In the early 19th century, the advancement of technology was seen as a threat by some people who feared it would take away their jobs.  Rather than viewing technologies as tools to help them do more with less effort and better results, they took the view that their cherished and long-honed skills were meaningless and viewed it as a threat.  Rather than embracing the potential benefits, they opposed them vociferously.  These people were referred to as Luddites (history varies as to why).

Today, a true Luddite would be a pretty rare spectacle indeed - shamelessly decrying technology as a threat to their livelihoods, failing (perhaps on purpose) to see how it could allow them to achieve things they would not have been able to otherwise.

However long ago the eulogy for the Luddite was read, their kind have not vanished from the landscape.  They're still among us today, as something far worse - the apologetic, self-hating Luddite.

There's a line in time that serves as an almost insurmountable fence separating those who can develop a working mastery of information technology, and those who cannot for one reason or another.  In my experience it seems to start with those born before 1965 - 1970, with those born later having generally no problems at all utilizing technology to meet their desires, and those born before having generally no affinity nor use for technology in their daily lives.

Here's the rub - lots of people born at or before that line in time have jobs as professional knowledge workers, requiring them to be proficient with technology.

These people are perhaps the single biggest reason IT support organizations exist and remain busy.  In the 30 or so years that information technology has been "a thing" in the enterprise, one constant has remained across time - lots of people don't get it, or don't want to get it, and most of them are old.

We can spend forever attempting to determine why this is, and how to fix it, as though being a Luddite is an illness and we just haven't been able to cure it yet.  My opinion is a lot more harsh, and it's borne from decades of being in the business - decades of doing grunt work for someone else making far more money than me, whose job I could do in my sleep, but who would drown within hours of attempting to do mine.  That fundamental disparity leaves no room for sympathy.

Time is marching on.  Technology isn't going to plateau, nor slow down its advances, for anyone.  At what point is it no longer acceptable for a person to be incapable of utilizing technology to accomplish their duties efficiently?

Let's use the paradigm of technology as it applies to other tools & trades.  How apt are we to hire, let alone pay a premium due to tenure for, a carpenter who is able only to use handsaws while young journeyman apprentices use power saws and the like with all the resulting increases in productivity?  How apt are we to employ a fleet of salespeople who have leather-bound books to contain prospect lists and business cards instead of those familiar with Outlook and CRM solutions?  How much patience would we have for automobile mechanics who were flummoxed by the array of sensors on modern vehicles, or who refused to avail themselves of pneumatic tools?  How about the arborist who refused to use chain saws?  How long will a factory last that won't employ machinery to perform rudimentary tasks such as pipe bending, stamping, etc?

The rest of the world, in a larger majority every day, is employing technology to their benefit - be it information technology, machinery, robotics, automation, etc.  In order for business plans to make sense and be competitive, there's an implicit mastery of technology written into the numbers.  Efficiency isn't a great gift, it is an expectation.

So the question remains, for those who don't get it - those who call their helpdesks to figure out how to use Excel, or send an email to several people, or print something that will staple and collate, and who all sheepishly say "I'm not very good with computers" as though that makes it all okay - how much longer do you expect the world to buy your excuses?  How much longer will we have to carry your sorry, heavy, expensive butt?

It's always easier to just help you out - meaning, do it for you, because if you understood it you'd have learned how to do it yourself the last time.  But every time we do, believe us - we'd be a lot happier reading your eulogy.

Friday, July 18, 2014

Netgear ReadyNAS 516 is Not Ready for Enterprise Networks

I've been saddled with one of these dreaded things with a gun pointed to my head.  Nothing can be worse.

In any event, if you were to unbox and connect a Netgear ReadyNAS to your corporate network, and said ReadyNAS came from the factory with OS Version 6.0.8, and said network had a firewall that didn't allow any and every HTTP request to flow through it unfettered, you would have the same odd experience I had.

You would log in with the default admin credentials, and be prompted to run through a wizard.  You could cancel out of it or complete the steps - wouldn't matter.  Either way, when the wizard exits, you would get a continual 'flashing' or cycling webpage.  It would flash between a hint of the admin console, a box saying "Connection Lost", and the splash screen for the device.  You would never be able to click on anything with any success.  You could restore the OS, restore to factory defaults, and basically end up in the same death spiral.

If however you looked at said firewall to see what traffic, if any, was hitting it from the IP used by the ReadyNAS, you'd see lots of HTTP requests going to subdomains of netgear.com and readynas.com, and even the stray IPv4 address.  You might try to open them one at a time a la "whack-a-mole", or you would just allow all traffic from that IP address - like I did - which works.

Thanks bags, Netgear, for again making the lives of IT professionals everywhere just a little more gruesome and unbearable.

Tuesday, April 29, 2014

On the Tail Wagging the Dog

I saw an article in Tech Republic today that rubbed me the wrong way.  I probably should have ignored it, but it comes up so often, I had to capture my thoughts.

The article was entitled "IT self-sabotage: Don't be your own worst enemy".  By itself, that sounds like it may be valuable, but the article took less time to write than it did to read, and rehashed the same nonsense that has become pervasive in corporate America.  Namely, there's no value in enterprise IT, so don't fight consumerization.

http://www.techrepublic.com/article/it-self-sabotage-dont-be-your-own-worst-enemy/

I could not disagree more with this mindset.  It's nothing more than salve for the souls of the inadequate.  The difference between a company with a strong IT leader who maintains their principles and doesn't succumb to every trend for which he has no immediate answer and a company willing to flop around like a water hose at full blast going wherever the flow takes it may not be immediately evident from the outside, but it will be startlingly clear to anyone who has been in both types of shops.

Who is supposed to benefit from this article?  Who is the audience?  Certainly no-one in the enterprise space with a management role would be so obtuse as to adopt hardline stances absent any other mitigating factors;  surely no-one is so facile and ill-equipped as to believe for a moment that the role of corporate/enterprise IT is to let the tail continually wag the dog, which is clearly what this article advises.  Rubbish.

IT has a unique perspective in many companies, in that it sees the broadest possible picture.  IT recognizes benefits of standardization and architecture that extend beyond the interests of individual business units, who themselves are often unaware and/or unsympathetic to the fact that those interests can be at conflict with one-another.  Deferring to the needs of the business as a policy means abdicating the important job of managing risk and ensuring that the entire organization runs smoothly and cost-effectively.  It's ridiculous to dismiss that in favor of myopic trends such as 'consumerization', or in the name of being more friendly.  Just because you can do something, it doesn't mean that you should.  Consumerization for example, is a trend borne from a combination of overzealous, unqualified para-technicians masquerading as executives, and the eagerness of the technology sector to profit from them by legitimizing an otherwise (and historically) illegitimate tactic.  The herd mentality on full display in all of it's resplendent glory...all the while, nobody has remembered to ask whether any of this stuff A) solves a real problem, and B) helps us generate more revenue, operate more profitably, and reduce (not simply rename) our risk.

In my experience, if a company runs into an IT department which says "no" too often, it's because the company isn't asking the right questions - meaning that they aren't applying careful, critical thought to the decisions facing them, or even willfully ignoring the obvious, underlying problems which seldom if ever have anything to do with technology.  IT might not (and should not) have all the answers about how to run a business, but they will certainly know when the business is about to dig themselves an enormous hole.  If IT doesn't speak up (and say "no"), they aren't doing their job.

To write up an article with insipid 'suggestions' such as these is of no more value than talking to someone for two minutes in a coffee shop line about their philosophy for enterprise architecture.  There is so much assumed, so much not considered, that it hardly makes sense to waste the time publishing it.