David L. Farquhar on technology old and new, computer security, and more
This week the Wall Street Journal ran an editorial about the right to fix our gadgets. It was surprisingly pro-consumer. The author wrote about a friend whose Samsung TV broke due to $12 worth of capacitors and how he fixed the TV, with no experience, in a couple of hours. I can relate, though I took the easy way out.
He lamented the throwaway of gadgets being unethical on several levels, and I agree. I also remember a time when it wasn’t this way.
This past summer I toured a large company’s “innovation center,” where they try new, risky things. “We don’t involve the legal or IT security departments in this stuff,” the tour guide said.
I wish I was surprised. And while I’m sure the tour guide thinks he isn’t missing much, it could be a missed opportunity.
A few weeks ago I uncovered a stash of CDs from my college and early bachelor days that, for one reason or another, I’d never ripped to MP3 format.
When I started ripping the discs, I got one clue as to why I never ripped some of them: Some of them made the DVD drive in my Dell laptop sound like a Commodore 1541. If you ever owned a Commodore, you know exactly what I’m talking about. If you haven’t ever owned a Commodore, let’s just say my drive groaned in protest very loudly, and in exchange for putting up with the noise and insanely long rip times, I received a bunch of errors and a few MP3s that played really poorly.
People who’ve moved onward and upward within the company, bridging multiple departments are great attack targets because they probably have more permissions than someone who’s stayed in a single role.
In non-security speak, let’s talk about someone who moves from Accounting to HR. The right way to handle it is to grant access to all of the HR data and systems, and cut off all of the person’s access to accounting data and systems.
In practice, that rarely happens. In previous roles, I’ve often ended up with access to more than one group of systems after being moved around, so I’ve not only seen it, I’ve experienced it firsthand.
The bad guys know this. So they’re going to scour Linkedin for people who have multiple entries on their profiles for the same company, knowing they probably still have both feet in both worlds. People like that are going to get more phishing e-mails than average, because then they’ll have access to twice as much stuff. That means if an attacker manages to get onto their system, they’ll have access to twice as much stuff.
This gets overlooked a lot, but HR and security need to have a very good working relationship to keep these kinds of situations from happening. Employees who stay with an organization and move onward and upward within it are very rare these days, and those employees deserve every bit of the extra protection they need.
Career advisers say to make sure you show all of your upward movement within the same company on your resume and on your Linkedin profile. I know not everyone does this, but jobs are difficult enough to get that we have to assume people are looking for that edge. As security professionals, our job is to understand this reality and make sure it doesn’t mean extra exposure.
Buried unfortunately deep in August’s Social Engineer podcast was some outstanding advice from British TV star R. Paul Wilson, who turned scamming into prime-time BBC TV for several seasons.
Wilson, who literally has sold someone a bridge that he of course didn’t own, has lots of experience on both sides of scamming, so his experience is invaluable. I was just disappointed that we had to listen to 45 minutes of Christopher Hadnagy and David Kennedy arguing before we could hear it, so I’ll cut through the garbage.
An anonymous reader asked if American Flyer trains can run on Lionel track.
The answer, of course, is that it depends. Read more
Whether you want to move to security or just get a lot of job security and raise potential while staying in infrastructure, probably the best thing you can do for your career is to learn Splunk.
What’s Splunk, you ask? Well, my t-shirt says “Weapon of a security warrior,” but it really does a lot more than that.
I think of it as a centralized logging and alerting system, but really, because it can log and alert and draw graphs, it can replace almost any piece of management infrastructure. I asked, only ten-percent joking, why a Splunk shop needs to run anything else to manage itself.
Stand up Splunk, let it collect your logs and your performance data, and when something goes wrong, you have one place to look for the data you need to figure out what happened.
Fortunately, unlike many enterprise tools, you can run Splunk at home for free. Splunk offers a well-written 200-page book for free in all of the common e-book formats that provides a good introduction and a set of data to play with, and you can download the software itself from Splunk’s front page. You can then pull your logs from all of your desktops, and if you run DD-WRT, you can pull those logs as well, then practice learning what you can from that data beyond what’s in the book.
You will undoubtedly find some things when you start poking around, so even if you’re not able to get going with Splunk in your current role, you’ll end up with the war stories you need to get a Splunk-related role for your next job. Even if all you do is catch HD Moore and Robert Graham scanning you, your interviewer will be interested in hearing how you saw it and managed to figure out it was them.
Unlike some security professionals, I still regard antivirus as a necessity. It doesn’t catch advanced threats, and everything it does catch can be caught through other methods, but it is the most cost- and labor-effective way to catch the best-known, least sophisticated attacks. If you put a $100,000 incident responder to work hunting ordinary viruses, you’ll waste a lot of money on salary and quickly lose that incident responder to another company offering more interesting work.
Of course, there’s a great deal of discussion in the mainstream computer magazines about which antivirus is the best. I don’t agree with their methodology though–they might as well be looking for the longest 8-foot 2×4 at the home improvement store. Yes, you can probably find some variance if you get out a micrometer, but what have you accomplished?
SANS has a good real-world test to see how much protection your antivirus software is really giving you.
A friend asked me a good question: Does a POTS phone use the same wiring as U-Verse VOIP? The answer is, it depends. Outside your house, no it doesn’t. But that’s not your problem. Outside, that’s AT&T’s problem.
Recently I needed to boot a Toshiba Satellite from USB (specifically an L505D-S5983). It didn’t automatically boot from a USB thumb drive when I plugged it in. That is often the case with name-brand PCs I’ve seen. You either have to pull up the boot menu or change the boot settings.