Skip to main content

Posts

Showing posts from April, 2009

A Shack in the Woods, Crumbling at the Core

Imagine a run down shack. The kind I’m thinking of is like the cabin my grandfather bought in the late 60’s. It was about 16’x20’, built in the 30’s and then left to rot. It had wooden blocks for its foundation, it sagged about a foot in one corner as the wood blocks shifted and rotted, it was musty, moldy and damp. It was the very definition of deferred maintenance. A menagerie of non-human mobile life forms called it home. It was a shack, kind of like the one pictured here.

There are applications like that, lots of them. We probably all know where they are. Most of us will only have to look someplace in our data centers. Think of an old shack when you think of those applications.

What do you do with a shack like that? You could paint it, put new doors and windows in it, add on a bedroom and a porch, maybe even add plumbing and a bathroom. You could even secure it (from the rain) by fixing the roof. But what about the foundation? Sure you can remodel and add on to a house with a rot…

Unsolicited E-mail Containing Security Advice

Here’s one for the what-were-they-thinking files. I recently received an e-mail from a vendor that I’ve never heard of and with whom I’ve never done business:From: "USA.NET" <news@info.usa.net>To: <***.***@***.edu>Date: 3/6/2009 11:28 AMSubject: Weekly Security UpdateAnother wave of scam emails are circulating disguised as warnings from the U.S. Federal Reserve Bank. They lead to a fraudulent website that installs phishing/malware software or a Trojan virus that will send out critical information such as user names, passwords, or file contents of sensitive documents.Always use best security practices when reviewing your email and do not open any email attachments from unknown senders.http://info.usa.net/ct.html?rtr=on&s=eanw,***,***,****,*****,***,vnTo unsubscribe, send an email to: unsubscribe-15386@up0.net with the address: ***.***@***.edu in the subject line.An unsolicited e-mail from an unknown sender advising me not to click on attachments in e-mails fr…

NYPD: Attacks or Noise?

Gasp! Panic! 70,000 attacks per day against the NYPD! From China no less! It must be a grand conspiracy! BlackRed Helicopters!

Either that or it's just the normal background noise of the Internet. Let me check.

Let's try 'cat *.log | grep Deny | wc -l' on today's logs:

00:00 - 01:00 = 2,437,222
12:00 - 13:00 = 4,071,284
13:00 - 14:00 = 3,323,089

That's enough data.  This is a blog post, not peer reviewed research.

Figure 3 million per hour * 24 hours = umm... big  numbers...let me get my calculator.....Start/Run/calc.....3 * 24 = 72...

If an 'attack' is a denied packet, then seventy-two million 'attacks' per day is normal for a medium sized network ( two /16's and a  /19.  My guess is that some of them even come from China.

I think it's just noise.

Don't tell anyone though. NYPD is  probably going after Homeland Security funding.

Oh, and one more question. How do they know 'all the attempts have failed'.

Minimal Installations & the Consultants who Have no Clue

I've got a simple mantra that I sometimes express as the 'Least Bit Principle'. It's not complicated. In any system, install and configure the least number of services, packages, configurable entities, permissions or privileges necessary for system functionality. This goes way back to the days when one needed to disable defaults services while hardening a new server (chargen anyone?) and it applies to any complex system, such as operating systems, databases, routers, firewalls, etc. It's not new, it's not radical.

The fundamentals of this principle are self evident.
What is the minimum software needed to support the application functionality? (Hint: It's not 'Entire Distribution')
What are the minimum file system privileges necessary for application functionality? (Hint: It's not 'Everyone/Full Control')
What are the minimum database privileges necessary for application functionality? (Hint: It's not 'DBA' or 'DBO')Wh…

SMS as Two Factor Authentication Spoofable?

Speculation as to why there is an apparent rush to buy a certain model of an old Nokia cell phone.
'The 1100 can apparently be reprogrammed to use someone else's phone number, which would also let the device receive text messages. That capability opens up an opportunity for online banking fraud." If true, then an SMS to a cell phone would no longer reliable for two factor authentication. Impersonate a persons phone long enough to log into their bank account? That'd be amusing.

Firewall Complexity Versus Time

As a follow up to Firewall Rule (Mis)Management, I created a few simple charts showing the growth of a firewall config over time. The Y-axis is simply the size of the config in bytes. The X-axis represents time from 2002 to present. This particular firewall is at a data center that is being phased out, so as applications get deprovisioned or moved, the configuration size shrinks.The second chart is for a firewall for another data center that was spun up in 2005. The X-axis is time from 2005 through today. The steep change in size at the left is the initial provisioning of the apps in the new data center.The configuration size has grown continuously since 2005. I’m expecting that it will continue to grow as more apps get hosted. There are not too many scenarios were a configuration would shrink unless major applications were phased out or the firewall manger decided to simplify the problem with a few ‘permit any any’ rules.At some point in time it’ll be too large to mange if it isn’t a…

Anonymity is not Privacy

Let's pretend that I want to do something subversive like participate in a social network with persons who don't like the current form of government, or maybe I want to be really subversive and prevent advertisers from tracking my social network habits. In either case, preventing someone from de-anonymizing me is essential. The University of Texas paper linked here demonstrates that by using anonymous data from from multiple social networks it is possible to de-anonymize individuals and reliably identify them based on a comparison of the links between the persons in the social networks.

This is relevant in daily online life. If for example, my personal online presence could jeopardize my professional standing (a firearms advocate in a liberal University comes to mind), I would need to maintain separation of personal and professional online presence. Individuals who need to fear loss of freedom based on their personal social network affiliation would be another example. This re…

QWERTY is Mainstream?

Touch screens and QWERTY keyboards on mobile devices are finally mainstream just about the time when they really should be obsolete. That’s too bad, really. Voice control should be mainstream, not qwerty keypads. I should be be able to have basic mobile phone control and mobile communications without reaching for my phone and poking around on it. It’s 2009. For mobile devices, touches, swipes, swirls, stabs and keypads are archaic. Phones should be heard, not seen.How close are we?Microsoft Voice Command is a partial solution. It allows basic phone control with speaker independent voice. It works with Bluetooth so I can tap the headset and say things like ‘call Jake Botts at home’ or ‘dial 612 555 1212’ and it generally figures out what I want. It also allows voice access to the calendar (‘What’s my schedule’), and can navigate menus and contacts (‘show Jake Botts’ or ‘start solitaire’ or ‘start google maps’). Additionally, it reads incoming SMS’s & messages and announces incoming…

Vendors That Don’t Support VM’s?

From a large software vendor: VMWare support: <vendor> applications running on VMware are supported as long as the OS running in the virtual machine is certified by <vendor> (see <vendor> Platform Availability Matrix).That’s good. However, if <vendor> is unable to reproduce an issue the customer may be asked to reproduce the problem running natively on the certified OS, without the use of VMware. <vendor> does not explicitly test or certify products running in a VMware environment.That’s not good. We’ve run into this a handful of times. In this case, I’m not sure how to interpret the nuanced difference between support and certification, but it’s pretty clear that <vendor> wants to leave open the option of blaming the vm in cases where they can’t figure out what’s broke. It’s the old ‘I have no clue what’s happening, so I’ll blame the network/firewall’ problem. In theory, one would have to maintain a non-vm'd test environment to use in the event …

The Cloud - A New Provider Failure Mode

I certainly would not have thought of this failure mode. A law enforcement agency raids a datacenter and grabs the hardware that your provider uses to host your business critical application.The FBI has seized all equipment belonging to our customers. Many customers went to the data center to try and retrieve their equipment, but were threatened with arrest.Let’s assume that some customer in a cloud or co-lo is doing something bad. The law enforcement agency doesn’t understand clouds, virtualization VMotion, or hypervisors. They understand computers. Which one is it? Who knows. Grab them all.I’m not clear on the details of what happened in this particular event. It’s possible that the provider was a legitimate target of law enforcement. From the point of view of someone who has a critical application tied up in the mess, the details are not as important as the concept. If someone, somewhere in the same co-lo or cloud as you commits some crime, what will law enforcement do, and how wi…

A New Model for Product Purchasing

Most organizations follow an acquisition model similar to:
Identify Business Need Gather Requirements Evaluate Products Select Product Purchase Product Implement Product This model has generally proven to be costly and unreliable. Significant resources are spent identifying needs and requirements. Working with users to determine requirements is generally unreliable and often results in recursive need/requirement loops. Product evaluation and selection is time consuming and expensive, often requiring RFP’s, live demos and test installations. The end product rarely meets the users needs or requirements, simply because the unreliability of the user results in documented needs and requirements that do not represent actual user requirements.
The above process may be significantly streamlined by simply eliminating the unnecessary steps and reordering the remaining. The new model looks like this:
Purchase Product Implement Product Gather Requirements Identify Business Need This minor modi…