David L. Farquhar, computer security professional, train hobbyist, and landlord
“Whatever happened to the Legions of Doom server?” a coworker asked me as a technician swapped her computer.
I smiled a wicked smile. “Victory ping!” I then turned to my computer. “Ping pmprint02. Request timed out. Request timed out. Request timed out. Request timed out,” I read as the words scrolled onto my screen.
“Victory ping?” my boss–yes, my lunch ninja boss–came over and asked.
“I know that box,” the technician said. There’s a good reason he didn’t say “server.”
Much has been made of Hillary Clinton’s use of her own mail server, running out of her home. It didn’t change my opinion of her, and I don’t think it changed anyone else’s either–it just reinforces what everyone has thought of her since the early 1990s. Then, Ars Technica came forward with the bizarre case of Scott Gration, an ambassador who ran his own shadow IT shop out of a bathroom stall in Nairobi.
The money quote from Ars: “In other words, Gration was the end user from hell for an understaffed IT team.” And it concluded with, “[A]s with Clinton, Gration was the boss—and the boss got what the boss wanted.”
Indeed. And it doesn’t just happen in the government.
I was on a conference call discussing the Microsoft product lifecycle with several coworkers and our Microsoft-assigned support engineers when someone asked if a server version of Windows 10 was going to come out.
The Microsoft rep said no comment. Then I chimed in.
“We need to assume they will release a server version, probably about six months after the desktop version, and we need to start testing and preparing to deploy it when it comes out,” I said.
“Shouldn’t we wait for Service Pack 1?”
I went in for the kill.
So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.
Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”
Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.
“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day.
“What, Cygwin’s bash?” I asked.
“No, in CMD.EXE.”
I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those cryptic batch files are exploiting the command interpreter to do things that shouldn’t be done. Then I smiled.
Late last week, Home Depot finally released a statement about its data breach. At least they had the decency to call the attack “custom” and not spin it as “advanced” or “sophisticated.” Even “custom” is really a euphemism, as the attack wasn’t all that different from what other retailers experienced earlier in the year. It may have been as simple as recompressing the BlackPOS malware using a different compression algorithm or compression ratio to evade antivirus.
The breach involves about 56 million cards, making it a bigger breach than Target.
From time to time, Windows patches will fail to install because a server doesn’t have enough space to install them. Finding the ginormous files are that are hogging all the space on the C drive is really tedious if you do it by clicking around in Windows Explorer, but there’s a better way.
Download the free Sysinternals Du.exe utility and you can find the behemoths in minutes, if not seconds.
One of my former supervisors now works for a security vendor. He told me the other day that someone asked him, “Does your company have anything so I don’t have to patch anymore?”
The answer, of course, is that there’s nothing that gets you out of ever having to patch anymore. To some degree you can mitigate, but there’s no longer any such thing as a completely friendly network. The reasoning that you’re behind a firewall doesn’t work anymore. On corporate networks, there’s always something hostile roaming around behind the firewall, and you have to protect against it. If you’re on a home network with just a computer and a router, your computer and router attack each other from time to time. That’s the hostile world we live in right now. Patching is one of the fundamental things you have to do to keep those attacks from being successful.
That said, there are things you can do to patch less.
Every once in a great while, I have to answer a question like what version of Windows a range of servers is running. If the number of servers is very small, you can just connect to them with a Terminal Services client and note what comes up. But sometimes that’s impractical. Right now I’m working someplace that has 8,000 servers, more or less. I’m not going to check 8,000 servers manually. I’m just not.
Here’s a more elegant, much faster way to go about getting that information.