IT Security


IT Security17 Dec 2014 09:10 am
I already posted about this funny issue twice on Facebook, but, the issue continues to fascinate me, so it gets a blog entry as a learning and warning to others on the potential ills of text messaging.   I have had numerous discussions with my middle school and high school aged sons, regarding propriety in txt messages, tweets, and emails.  With cell phones having cameras I have had the “direct” conversation about not taking inappropriate pictures or videos and certainly never posting “sketchy” photos or videos on social media and DO Not send them via text to their friends.    This conversation started a few years ago and continues to this day, because I believe youngsters need reinforcement.  And, when sitting at the “breakfast” place on Saturday, when I reiterate a life lesson, I laugh to myself when Josh or Daniel complain that we already covered the issue over and over again.    The conversation started a few years ago, because one of Josh’s friends was walking home from school, when another kid who would be labeled “a jock” decided to give a beating to a kid that would be labeled a “computer nerd”.  Who knows why kid A decided to beat up kid B.  Josh was not friends with either of them, but did know one of the kids who was walking home, with a less then smart participant video taping the beating, quickly posting it to Facebook.   Josh showed me the video when I got home, and my first comment was “nothing good was going to come of it”.   The next day, the principal called kids into the office at the middle school, and asked a simple question, to the kids that where there, but, not the kid who gave the beating.  The question was “were you at the incident”.  One by one the kids he called into the office said “No”, the principal said, “I saw the video, you were there, your suspended for a week.”.  This occurred for everybody on the video.  Suspended, not because they participated in the beating, but, because they lied to the principal.  The kid who gave the beating was suspended, not allowed to participate in graduation but he did graduate form 8th grade and move on to High school.  H was lucky the issue was not escalated to the police department.  In the day of camera phones its remarkable that he didn’t have the common sense to not get into a fist fight, and the other Einstein who video taped also had no common sense.   I’m glad my sons were not involved but, it because a very good life lesson discussion on the evils of capturing inappropriate images or videos and then posting them on social media.  I laterally told them, if they are ever walking home and something like this happens, RUN the other way and come home.

Another discussion point down the same path is never get into txt message wars, do not send emails that contain anything negative, and never get into social media wars.  If its not nice, don’t post it.

In my current role, I hire consultants.     The skill setI need for a certain role is VERY specific.   Application Security manual testing, with knowledge of Java and J2EE, burp suite, and other manual testing tools.  Its a difficult skill set to find.    To determine if the candidate is worth having a discussion with, we have a test we send the potential candidates.  Its open book.  They do the answers at home.  And they can google to get the correct answers.     For candidates that really want to come work for me, they can even “mock up” the source code examples, compile them, and get the 100% correct answer.   But, unfortunately, application security is a hot market, and candidates can find lots of opportunities so they simply don’t take the time to answer the test questions.  So they don’t do well on the test, and we don’t have much interest in interviewing them.   Q.E.D.

I use a consulting company for these technical application security consultants.  We paid them about $300K this year, and we have committed to spending another $400K with them in 2015.   He presented a candidate that did poorly on the test.  But, meh, I thought we would interview him.  And its the holidays and its hard to get the right people on the interview, which I ultimately agreed to have the phone interview on a Tuesday and here is where the wheels came off the bus.  I did not schedule the interview on Tuesday fast enough for his liking, so, the recruiter had some type of FIT, and instead of texting whomever he wanted to text that I was trying to be a “douche bag” for dragging my feet setting up the interview for his less then qualified candidate, HE SENT THE TEXT to me.    Spend $300K with a vendor in 2014.  Lock in a spend of $400K with a vendor for 2015.  Get a Text message from the vendor calling me a “Douche Bag”.  PRICELESS.

The lesson learned?  Only send positive text messages, emails and social media posts.  I bet the executives at Sony are also wishing they are followed these guidelines when referring to the talent they work with in such a negative fashion.  If I were the talent that was based I would certainly not work with Sony again, based on the emails that the Sony Hackers have released from the Sony Executives.

john

IT Security15 Jan 2013 10:50 am
I’ve been doing a lot of thinking about the Internet Wunderkind Aaron Swartz case and his unfortunate suicide.  My day job is on a Global Information Security team for an amazing company as an expert in Data Loss Prevention protecting a companies Sensitive Information, Personally Identifiable Information including HR data, and Intellectual Property including Source Code.  I have also spent years as a Computer Forensics expert. So given my background I am typically never on the side of somebody who would be accused of hacking. But, was that really what was going on here? I’m not so sure

 

There are a few facts associated with the criminal case against Aaron.  He did access an unlocked wiring closet in the basement of the MIT campus, connect a laptop to the MIT wireless network, and download 4 million scholarly documents from the JSTOR repository.   When accessing the JSTOR database from the MIT registered IP Internet address block, unlimited access to the data was allowed.

 

Then we have a couple of facts that have not been reported as widely.  The wiring closet at MIT was unlocked.  In addition to computer wiring, a homeless person was using the room to store his or her stuff.  So there was not really a breaking and entering in my mind.   When I was in Boston last summer my boys and I walked through the MIT and Harvard campuses and buildings, to elicit interest and excitement for my boys in higher education. Its not like the campus was locked down. And, I believe that Aarons father worked for MIT. So was leaving a laptop in an unlocked room at the University really a crime?
 
The MIT wireless computer network had no authentication requested or required prior to receiving an IP address on the MIT wireless network.  You attempt to connect and you get an IP address.  There was NO authentication or security requested or required.  So where is the crime in accessing the computer network if the MIT computer network did not instruct you that access to the network was restricted. I believe in the past the court system has struck down implicit consent to terms of service without proper acknowledgment.
 

 

When I stay at a hotel, or attempt to use Internet access at a  restaurant like Panera, when I connect to the wireless network, I get directed to a web page that explains the terms of use when using the Internet access provided.  MIT had no such landing screen when connecting to the MIT computer network.  Without such warning or agreement on the part of the user, was there really a crime com committed?  I think that there would have been a very good chance that the charges would have been dismissed if the case ever went to trial.
 

 

There have been a couple of very good blog entries from people who knew Aaron and assisted him with the case.  One from a Harvard Fellow Lawrence Lessing, who characterized the US Prosecutors supposition that the Information that Aaron downloaded was worth tens of thousands to millions of dollars.  He characterized anybody who said that as “idiots and liars”.  Was the act of downloading scholarly journal information really a crime when access through the paywall was acceptable from the MIT network? And the MIT computer network had no authentication required and no warnings that using the MIT computer network was restricted? I’m not sure about it.

 

The entire article from Lawrence Lessing can be found here ;

 

 

There was also a very good article by one of the Forensic examiners who was working on the case. He said that if he was asked at the trial if Aaron’s actions were wrong, he would not characterize them as wrong, but rather, inconsiderate.

Now did Aaron have some accountability in the mess with the federal government and the US prosector that he found himself in?  Absolutely.  There are some damming pictures from the case circulating around the Internet that show Aaron being captured on a hidden camera in the wiring closet wearing a mask to hide his face when he returned to retrieve the laptop.  This documents that Aaron was well aware that his actions could be perceived as being against the law.  And to that end, he should have been held accountable.  And suffer a consequence for actions that he appears to know are illegal.

 

 

So lets talk about accountability.  JSTOR, the not for profit that stores and allows access to the information declined to press charges against Aaron, and settled with him in June 2011 when Aaron returned the laptop with the information, and agree not to publish the information.  JSTOR instructed the US Attorney they DID NOT want charges against Aaron for accessing the data, and would not participate further in the case. Kudos to JSTOR for recognizing the case for what it was. Much ado about nothing.

MIT the university DID NOT decline to press charges.  Because of this the US Attorney was empowered to bring 13 federal charges against Aaron that could have resulted in a sentence of 35 years in prison and a $1.5 million dollar fine.  I find this to be a ludicrous potential outcome for actions that I have not personally come to terms with even being considered a crime given where and how the activities occurred.

I think that MIT should take full accountability for the lunacy of NOT instructing the US Attorney that MIT did not want the case to move forward, would not participate in the case, and wanted the case dismissed. I mean what was the information being captured? Scholarly information? There was NEVER any proof that Aaron intended to publish the information online outside of the JSTOR paywall. Accessing JSTOR from the MIT network was not illegal. And accessing an open computer network at MIT that did not require authentication does not strike me as illegal. And, given the benefit of the doubt, maybe Aaron was an idiot savant who wanted to personally read the 4 million scholarly documents that he downloaded? I still fail to see illegality in Aaron’s actions. But, alas, MIT, to their shame, did nothing to stop the prosecution of by all accounts of a very talented technologist.

 

 

Over the course of the last two years, Aaron’s attorneys attempted to negotiate a plea bargain.  In my opinion, the charges should have been reduced to a misdemeanor and Aaron given probation and told to never do this again.  MIT, as an institution that’s sole mission is to empower our best and brightest technologists failed Aaron miserably.    The very lack of compassion by the leaders of MIT is mind boggling considering in the MIT museum they have a section devoted to MIT hackers.   Those at MIT  in the museum who have been honored in the hacker section are they because they chose to think outside the box.   Its interesting to note also that Steve Jobs and Steve Wozniak, the founders of Apple, dabbled in “hacking” back in the day creating BLUE BOXES that enabled a personal to illegally make long distance calls at no cost.    Its inconceivable that we would have NO Apple computers, iPhones, or consumer electronics, if the US Attorney put both Jobs and Wozniak in jail for 35 years for building Blue Boxes.  As it turned out, John Draper, AKA Captain Crunch got 2 months in prison for building and using BLUE BOXes during which time he wrote one of the worlds first word processing software programs.

 

 
In addition to the failure of MIT to protect a brilliant and naïve technologist it was an utter and complete failure of the US Attorney to pursue the scorched earth prosecutorial approach against Aaron for his crime.  While allowing the likes of HSBC to skate away virtually free and not accountable for providing money laundering services as the drug cartels laundered billions of dollars in illegal drug money, they chose to treat Aaron harsher then murders and the 9/11 terrorists.  I think that Eric Holder needs to initiate a through review of how this case proceeded through the justice department, and quite possibly request the resignation of the US Attorney who propagated this case through the court system.

.

With the entire weight and force of the United States government behind it, and all of the resources and funding that comes to bear with it, the US Attorney’s office must take a measured approach that truly and impartially reviews the causes and actions that they are taking. It makes no sense whatsoever in any measured view that downloading scholarly journals to a laptop computer would illicit 13 counts federal indictment, a potential of 35 years in prison and a $1.5 million dollar fine.

And now, its too late for Aaron.  I think that there were many reasons beyond the case that were bubbling through the mind of this young troubled and unstable brilliant technologist to lead him down the path he chose.  Depression can be a terrible thing.  If anything positive can come out of this sorry affair, maybe it would be a spotlight on depression and the treatment of it, and a review of the prosecutorial indiscretion demonstrated through this episode of folly with some checkpoints being put in so that this can never happen again.

 

 
God Speed Aaron Swartz
IT Security12 Jun 2011 03:47 pm

Being an IT security guy, I have always protected my business and personal email addresses.  I have a webmail account I use to register for things online, so my objectsoft.com email address has less of a chance of getting into a SPAMMERS database.  And up until recently, that worked out very well.  Unfortunately, my primary email address did get into a SPAM database, but, so far it has been manageable.

But, this is interesting.  We refreshed the Objectsoft.com web site a few weeks back, and added a contact us form.  The web site in this current incarnation is new, and the contact form is new, but, in the last few days, I have received a handful of SPAM contact form posts.  Thats right.  SPAM on the contact form with a link to other web sites in the comment field.

That seems to me to be a lot of work.  Write a web crawler that searches the Internet for contact forms, reads the HTML, fills in the fields, like name, email address, telephone number and then, places a link in the comment field.

Rest assured that I am not going to click on the link I received, but, the depths to which these spammers will go to get a person to click on a link and visit a web site is pretty amazing.

Security Land Lives!

IT Security28 Feb 2009 10:55 am

When I last declared victory in my previous blog entry, the system wasn’t completely clean.  When the system rebooted, my screen background would switch to a blue background towards the end of the system boot process.

Running AVG and Microsoft One virus scans found nothing, but, after leaving a browser sitting on the screen for 1/2 a day, it finally tried to jump to an Adware site.

The jump to the adware site was blocked, but, here was the trick.  The URL tried to access a file in \System Recovery Folder\ which I had not noticed before.  This is a hidden adminstrator  folder that you can not get into.  And, the spyware planted itself in that directory which I believe is beyond the reaches of Anti-Virus.  Googling around, I found that you can only delete that folder by disabling System Recovery.  System Recovery creates that directory for recovery purposes and deny’s access to everything else to the info, which was the perfect place for the virus to sit.

The system is clean.  No wierldness at all.

It is really frustrating that spyware sits and waits for days before actually trying to kick off.   Microsoft One has a long way to go to catch up with AVG, which appears to have cleaned the machine.

IT Security20 Feb 2009 12:27 pm

As I might have mentioned before, in addition to being an IT Sescurity GURU, I own another retail business in the burbs.  I have a partner that runs it, and I stop by and visit on occasion to check out the happenings.   We have a nice office in the back, with a Plasma TV, HD Cable, DVD, etc, and a nice kitchen set up, so its fun to work out of that office on occasion.

I have a sweet computer set up.  A really fast XP machine with 2 giant monitors.  But, not being at the store very often, somebody used my computer, and started a virus and spyware infestation.   When you watch these viruses and spyware its amazing to see them download and install their friends.  The only watch to staunch the flood of viruses was to uplug the NIC card from the network, while resulted in a screen full of “Can’t download the file” error messages.

HiJack This did a relatively good job killing some processes that were infected on the computer.  But, while zapping processes, I managed to trash TCP/IP on the XP system.  Googling I eventually found a TCP/IP repair kit that re-installed networking functionality.

Symantec Anti-Virus didn’t have much luck removing the infestation.  It is possible that Symantec was corrupted and disabled.  The viruses disabled the task manager, and for a strange reason corrupted Notepad.

I installed Microsoft One, which did a reasonable job with most of the spyware, but, I would still get pop up ads on the computer.  Very strange since Microsoft One said the machine was clean.

Next I downloaded Adaware, which found additional spyware, but, I was still getting the click ads popping up.

Next I downloaded AVG and tried to install it, but, it was being blocked by Adware from actually installing it.  So, I had to disable adaware’s anti-spyware to install AVG.

AVG ran, and found additional spyware, which stopped the ads, but, I installed the AVG toolbar, which itself redirects the browser to ad sites which is very strange.

I killed the AVG toolbar, rebooted and those pop-ups stopped!

Microsoft One, Adaware and AVG are all reporting the system clean.  I can tell you one thing.  I changed the password on my PC, since i’m not going to get these 3 hours back again.

IT Security14 Feb 2009 10:38 pm

When I first started this blog, I named it after a dial-up hacker bbs system I learned about when I was in high school.   Back in the day, you would get to high school early, go to the computer lab, and get to use a DEC  or Olevetti paper terminal with a 300 baud modem call call BBS systens.

In Chicago, you could call CBBS/Chicago – the FIRST computer BBS System created by Ward Christensen and Randy Suesz.  After CBBS/Chicago came FIDO/net, and I even ran a copy of the original CBBS software on a CP/M computer in my basement.  My BBS system was called Logopolis where Dr. Who fans could discuss the Doctor Who series on Channel 11.

Anyways, there was a hacker BBS out there that was called Security Land.  And when you attempted to access the BBS system, you had to type in a few code words to get in.

The first was.

Security Land Lives

I don’t remember the 2nd or 3rd code phrase, but, I think I have a print out of the web site someplace that haves it.  Thats why I named my blog site Security Land Lives.

I was using Network Solutions for domain registration services but migrated over to Dream Host.  I forgot to migrate Security Land Lives.com over to Dream Host domain management, and about 2 years ago, it expired and a domain thief grabbed it.  I guess after 2 years or so with NO interest, they let it lapse, and I grabbed it back again.

Instead of messing around trying to get wordpress back to the .com site, I just put a redirect on the domain to .net.  But, I’m goint to keep it renewed this time through Dreamhost Domain Registration.

Security Land Lives!

IT Security14 Feb 2009 06:25 pm

In addition to my IT consulting business I have other business interests including a retail store, and an investment firm that provides capital market financing. We also provide services to reverse merge private companies into public shells to go public if anybody is interested, anyways…
At the office in the back of the retail store, I have a nice setup.  I have a desk, a plasma TV, very high speed Internet, water cooler, etc.  Its a sweet place to work out of, regardless which business I am working on.

My partner in that business set me up with a sweet computer.  Dual monitors, very fast computer, etc.  But, since I am not there very often, somebody used the computer, and it got infected with a virus.  And this virus started downloading its friends, other viruses, spyware, awareware, etc.

Using Hijack this I tried to get rid of as much as I could.  I then blew alway Windows TCP/IP which was another mess to restore, but, finally got the machine back on the IP network.

Microsoft One did a good job removing dozens of viruses, spyware, etc.  But, it did not get everything.  Ad Aware found some things that Microsoft one did not, but, I kept on running the scans over and over and they still kept on re-appearing.

Microsoft one finally came up clean, and aware did too, but while I was still cleaning them out, Microsoft One blocked a program from connecting to the Internet, so I had it removed too.

When I head back to the office next week, I’m going to have to see if it was clean.

The PC had Symantec anti-virus on board, but, that did not block the initial infection.

I also forgot to mention that one of the viruses turns off the task manager so you can’t get into it.  Its really a mess trying to clean out the machine.

IT Security04 Aug 2008 10:30 am

After uninstalling the corrupted Norton anti-virus, I re-installed a fresh version of Norton Security center. The Firewall has not reported any processes attempting to reach out to the Internet. No processes attempting to join a botnet using IRC. No rogue processes trying to send email on port 25. Its very strange.  No rogue listeners bound to any TCP/IP ports.  Maybe the machine did not have a SPAMbot, but, a malfunctioning version of Norton that was sending the same email over and over? There has to be some residual artifacts or aberent behavior to validate that a SPAMbot was on the computer, but, so far, nothing.   I’m shifting towards no SPAMbot on my PC, but, still, its strange that comcast detected rogue emails for one day, and a corrupt Norton A/V.  Maybe the email scanner from Norton flipped out and caused the problem.  The quest continues.

IT Security30 Jul 2008 07:13 pm

I continued reviewing my computer and installed SPAMBOT S&D to look for the remains of a nasty little SPAMBOT on my computer, with still no signs of it.   I have my network snoop still running and dont see any traffic leaving my system and checking netstat -ab doesn’t show any rogue processes binding a port to listen.   Who knows.  Maybe AV freaked out on my computer and started spewing emails out the Internet pipe, since the product does have the functioanlity to scan and forward emails to the Internet.    I’m going to start googling for info on Norton AV freaking out and sending SPAM on port 25.    If there was a bot on my computer it must have left something behind.  More details as they develop.

IT Security29 Jul 2008 06:56 am

I spoke with the Comcast Abuse/Legal department this morning, and they did indeed confirm that Comcast blocked TCP/25 outbound from my Internet connection, because SPAM email was coming from my connection for 1 day.  Its nice to know that they are monitoring Internet connections from their subscribers, but, its kind of big brother ish to think that they are blocking TCP ports without telling anybody.

And, there is no going back.   Comcast said that they, and the other ISP’s will be blocking TCP/25 permanently to reduce the amount of SPAM eminating from home users, forcing their customers to use TCP/465 and SSL authentication.    I was just ahead of the curve since I triggered an anti-spam monitor from my house.  I reconfigured all of my POP accounts to use authentication and its working fine.   But, TCP/25 SMTP will be gone from home ISP’s shortly.

Norton reports no virus on my computer, and I checked one of the other home computers and found no viruses.  I’m going to continue to search for what was on my computer that was able to send spam, and then manage to hide itself and disappear when the computer was rebooted.