The Scripting Guy blog has a great article called Beat the Auditors which is something that most Sys Admins want to do (and in some cases it might also be in more ways than one!). The article has a powershell script that audits the computers on the network for services and accounts that may have very old passwords (or no passwords) and provides the output into a nice excel file for reporting. The article steps through the script line by line to provide assistance in understanding the script which should allow you to tweak it as required for your environment.  Subscribe to the blog posts to follow the next couple of articles in the series where the script will be expanded upon and developed.

I especially liked the tagline – “if the barn doors are wide open, why look for mice holes!”

I just bought a used iPad off of my friend Chuck Tomasi. After all this thing has been through I think I found a security hole. Let me explain.

First off, I know Chuck wiped and restored the iPad before he sent it to me because iTunes was required for me to register it when I got my hands on it. When iTunes came up it asked me if I would like to restore a backup from my previous iPad, I did. During that process iTunes puts back all the apps that I had by reinstalling them. Afterwards everything looked great…until I opened Pandora.

I opened Pandora to play some music and I noticed I wasn’t logged in, but Chuck still was with all his stations and everything. I have not heard of anyone else having this problem, but I thought is could be a potential security hole that people need to watch out for when selling or buying used iPads.

Has anyone else had this happen? Leave comments below.

I’ve been watching a debate over the last week, or more, on one of the email lists relevant to my current professional field, Litigation Support. It all started with a comment by a computer forensic vendor in which he mentioned that they routinely buy used hard drive on eBay and use them to practice and test their forensic tools, trying to recover whatever data they can. There has been quite a controversy over whether that’s professionally ethical or not, but that’s not really the reason for this post. My feeling on whether that’s  ethical or not is irrelevant.

My concern is much more basic than that. I just thought maybe you all would want to think about where your old drives are going when you decide to get rid of a computer! Even if you reformat the drive, much of that data can be recovered with the right tools, and that’s assuming the recycling place you dropped it off at actually takes the time to do the reformat. We’ve all seen too many stories of drives not being wiped at all when they’ve been resold. Surely we all take steps to prevent that, right? On the other hand, how many people do you know who do a quick format and assume it’s clean? It’s not. Do some research, ask around,  find a secure way to wipe that drive, or, as one of my listmates suggested take the ultimate secure HD tool to it, a 12-gauge shotgun.

What other tools do you recommend to your users?  Hammers, screwdrivers to the plates, metal shredders? Let us know!

Microsoft’s SteadyState 2.5 is now in Beta and supports Vista. Admittedly the application is in Beta but for those of you who need the ability to lock down a pc so that any changes made by users get removed on reboot, then SteadyState is well worth investigating. This application was last mentioned back in July, but the new version has recently been released.

Our Friendsintech members Paul Asadoorian and Larry Pesce from Pauldotcom Security Weekly have their new book and the companion web site out. If you have a linksys WRT54G and wanted to know all the cool tricks you can do with it then check out their book and website. Better yet, get two or three routers cause you want to be hacking them up after you see all the things you can do.

Links Mentioned:

• Ultimate WRT54G Hacking Book
  
• http://wrt54ghacks.com/

Hi Everyone!

It is the return and refresh of the Friends in Tech Child Safety Flier. Feel free to share this flier with anyone whom has kids and is concerned with online safety. We have links for everything from blogging, cyberbullying to advice for parents. We managed to toss in a couple of software and podcast picks that are family friendly. The flier looks great printed out as well as the electronic PDF. Please respect all the sites we cover and do not modify the flier if you share it. FiT nor any of its members derive any financial benefits from this flier or its mentioned sites. We are simply tech geeks with children, nieces, nephews and young friends we want to be safe and happy.

Links Mentioned:

• http://www.blogsafety.com/
• http://www.stopcyberbullying.org/
• http://www.safekids.com/
• http://wiredsafety.org/
• http://www.csn.org/
• http://www.netsmartz.org/
• http://www.thesafeside.com/
• http://www.fbi.gov/publications/pguide/pguidee.htm/
• http://www.openoffice.org/
• http://free.grisoft.com/
• http://www.microsoft.com/defender
• http://picasa.google.com/
• http://www.clamxav.com/
• http://www.grapefruit.ch/iBackup/index.html
• http://www.dlink.com/products/securespot/
• Podcast – Tech Savvy Girlz
  
• Podcast – The Radio Adventures of Dr. Floyd

eBook Download

I like some of the free tools from eEye. In the process of checking the site this week I found they are offering a security suite free for a limited time for Windows home users. They combine antivirus, intrusion detection and antispyware in one program. This saves the memory and resources to run multiple different tools.

Links Mentioned:

• eEYE Blink Personal Edition

As part of transitioning to my new responsibilities I’ve been spending quite a lot of time reading up on Electronic Discovery best practices. One of the themes that I’ve been seeing over and over again is this idea that anytime there’s impending litigation against a company, you have to immediately get a key IT person involved. Someone who knows the infrastructure, who knows where everything is stored and can testify to that as part of the discovery process. You have to have them implement a “legal hold”, which basically to recycling backup tapes or doing anything else that might destroy data relevant to the litigation as soon as you become aware that it is impending. Again, you need your key IT people to do this properly.
Anyway, not to bore you with too many legal details, (those are now my problem, not yours) but in reading about all the contact needed with key IT folks, both in implementing a hold, and having them present at discovery depositions, I wondered why, if this is a legal best practice, I hadn’t ever heard anyone in the IT community really discuss having been through this sort of scenario? Shouldn’t Sys Admins be familiar with the concept? Isn’t it odd that of all the Sys Admin types I know, I’ve never heard one talk about dealing with electronic discovery from this end of the situation? I’ve heard plenty of folks talk about retention policies, which are part of the whole area, but nothing about how those policies come into play when your company is party to litigation. Are there legal reasons to not discuss it at all, or is it a much less frequent occurrence than my research would lead me to believe?

So, I want to know. Have any of you been involved in a “hold” situation, or had to appear at a deposition to describe what electronic storage is available and can be searched? Leave a comment, tell me about it, and be sure to change names, dates, places, etc. Wouldn’t want any of you to be back dealing with the lawyers again. Even if you’ve never been involved in something like this, tell us what you think about it. Does your organization have good policies in place? Are you aware of what to do if it happens, has anyone identified who the key people are ahead of time? I’m curious to see how these best practices are playing outside the legal community.

In my previous post I posed a problem where all the users were in the domain admins group and asked what dangers this could pose.  The responses included the fact that removing people from the domain admins group could cause issues with programs running on the local desktop if the previous setup relied on the administrative rights to allow users to be an administrator on the local pc.  This is a correct statement, but there is another gotcha that has yet to be revealed.

From my analysis of the network (after the gotcha was revealed) it was discovered that the previous administrators had been lazy and actually added everybody to all of the groups in  the domain so they wouldn’t have to worry about people not being able to do things. I removed them all from the domain administrators group to lock down security (they would need to be in the power users for some old applications to work)
So now you know all the relevant details that may lead you to the gotcha, what do you think is the problem?

A couple of weeks ago I had the experience of working a long weekend to upgrade a clients network from an old NT network to Microsoft’s Small Business Server 2003. The actual upgrade went fairly smoothly but something arose that I thought would make a good puzzler for the Friends In Tech Website……

You come to upgrade a domain from nt4 to sbs2003 and do a swing migration. This transfers all the existing users, groups, email address’s and configuration to a new hardware platform with the minimum of downtime. The old network domain was previously set up by a different IT company so you thoroughly document the setup prior to the upgrade. As part of this routine you notice that all the users are in the domain administrators group. You know this is a very bad idea and plan to remove the users from this domain administrator group.

Judging from the fact that all users are in the domain administrators group, this could imply a certain procedure for how users were setup in the past. What could this procedure be, how risky is it to remove users from the domain administrators group and what unforseen consequences could this have?

Please comment to this post or in the Friends In Tech Forums and an answer will be posted after a week and a clue given if nobody gets it. The idea of this post is to stimulate discussion, brainstorm ideas and warn others of a potential pitfall! You may want to subscribe to the comments feed to see what other suggestions have been made.

I had a fun experience when working at a client site on Friday night – all names have been erased (apart from mine) to protect the guilty……

A customer needed to switch to a dsl line for their internet connectivity which meant a disruption to their website, incoming email and outgoing internet so it had to be done out of hours. As it also involved changes to externally hosted dns it was better to do it at a weekend so that by the time users came back to work on Monday all the dns servers would be returning the correct data.

I picked up the key for the building earlier on in the week and agreed with the customer that they would not set the alarm that night (I’d be arriving shortly after they would have left for the weekend) and I’d just have to arm it when I left.

Friday night I turned up at the client site, unlocked the front door and hear a beeping noise coming from the alarm control unit – this was not going to be a good start to the evening.  I fumbled in my coat pockets for my phone and also for the customers cell phone number on a piece of paper to try and get the code before the alarm went off – those alarm sound bombs are painful. I literally dropped everything and ran out of the door to where I could stand without my ears hurting. Fortunately I still had the key in my possession and the phone was in my jacket pocket (as I hadn’t been able to get it out in time).

I called the contact number for the client and received a “hello” and then the connection died. When I redialed I just received the voicemail so I then called our office to see if someone had a home phone number but they didn’t. In the meantime the client calls me
back but each time I call them I have to wait ages for them to answer. By the time I get to speak with them the alarm has stopped ringing but I didn’t want to open the door in case it set the alarm off again. The client gives me the code to enter and I go inside, reset the alarm and then hang up the phone.  Just as I do this the police show up! I explain what is going on, show them that I have the key to the building so I’m not a burglar and have to produce id for him.

The cop leaves and I go and apologise to the cat that must have been in
REAL pain (turns out there is actually two pet cats in the building), and
start work. As I have to sit on the floor as there is no desk space I
spread my stuff out and the cats promptly come and sit on the pieces of paperwork making it hard to read the various passwords and details needed to complete the job. The job was actually a bit more complicated than I expected but I obtained some pdf’s from the manufacturers website and was able to move their internet connection across ok.
A very memorable evening but there are several things to learn from this.

• Ensure you ALWAYS have the alarm code for a customer site if working out of hours – do not rely on them turning it off before you arrive.
• Ensure you have at least one contact number for a client – preferably two in case the first does not answer.
• Carry some id with you – a company business card is good to prove that you are not just a member of the public – although I didn’t have a business card to hand (they were all in the computer bag inside the building) I had driven the company car with all of the advertising stickers on it.
• Cats love to sit on papers spread out on the floor – try and organise a desk to sit at when working – it can also get uncomfortable sitting on the floor for long periods of time.
• If you are allergic to pets check that customers don’t have animals roaming around the premises (especially if the customer is a zoo!)
• An external source of internet connectivity is great for testing and looking up results on the internet without having to revert to the customers network (which may or may not be working properly at the time)

EEye Digital Security have announced that a worm is attacking Symantec hosts and called it the yellow worm due to the obvious colouring of the software. Symantec have had a patch available since May 25th this year but the patch has not been widely installed. This is probably due to the fact that there is no easy auto update for the software from Symantec – Liveupdate does not download patches (only virus definitions), there is no obvious mailing list to sign up for patch release information and they have not made a patch available for (slightly) older versions of the software meaning that a company has to upgrade to the latest version (10.1 from 10.0 – not a free upgrade unless on support) to obtain a patch and even then the patch has to be applied afterwards.

Symantec, you really need to make your upgrade process less painful, have a well publicised mailing list (and web page) of patch releases and have an update mechanism built into the product.

This news from Apple may make you think twice about allowing users to bring ipods into the office – A small number of ipods were shipped with a virus on them in September 2006.

This isn’t the first time that big name companies have shipped virus’s on media – various driver cd’s have had virus’s on them in the past but this may make some people think twice about allowing any media players into the building. However, a policy should really be in place as the ipod is capable of acting like any other mass storage device which in turn acts just like the floppies of yesteryear.

How’s that for an obvious post title?

But, given the news over the weekend about a very serious JavaScript vulnerability in Firefox, it bears repeating the obvious. Using Firefox certainly gets you away from the ActiveX issues surrounding Internet Explorer, but it’s hardly a cure-all for staying secure when browsing the Internet.

I’m sure the Mozilla folks will be working hard on this until they get a fix, but for right now, be very careful out there.

PC-Doctor is recommending installing a NoScript extension as a way to protect yourself. I haven’t done that just yet, but I’m keeping it on my radar.

Update: There seems to be some question as to how serious this flaw is. Apparently, the folks who presented it may have over-hyped it, considerably. “We were just trying to have some fun up there“. I don’t get the impression that the Mozilla folks are amused. I don’t think we’ve heard the last of this story, but in any case, I stand by my advice, be very careful out there.

Hopefully if you have an account with Second Life (a virtual online gaming site) you will have received a newsletter to say that their site was hacked. Their blog post states the following -

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information. No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised.

What is interesting is that encrypted data was potentially downloaded with users real life information. The possibility for phishing would be quite high. Also the chances are that users are likely to have the same password on multiple systems. What was concerning was the phrase “No unencrypted credit card information is stored on the database in question” – does this mean that unencrypted information is stored on a database somewhere else?

I got a pretty good response from the coworkers I sent this link to from Bruce Schneier’s blog. He talks a bit about USBDumper, a program that silently copies all the contents of any USB drive inserted into the machine. The comment discussion is pretty interesting as well, pointing out legitimate uses for it, such as auditing what people are plugging into the USB ports of your business PC’s, but it is also really scary to think that someone with just the ability to unzip a file and run an executable could be grabbing all the data from a USB drive. As Bruce points out, salespeople or people doing presentations commonly plug drives into a customer’s PC. The attorneys where I work do it quite often at a client’s office, or when they are presenting evidence, and commonly have a lot more stuff on there than just what they are showing that client. Despite our best education efforts, I’m sure some of them even take unencrypted confidential client data off-site with a USB drive and plug that same drive into remote machines. (Which also brings losing the drive into the risk equation!)

It’s an issue we’ve been working on, trying to find the right solution along with trying to convince management of the need to implement it. I can’t help but wonder if we installed this on one of our pool laptops and started grabbing data and then presented that data back would it then become a higher priority?