Hyperbole, Embellishment, and System Administration Blog

: @orinthomas It shouldn't be a surprise to anyone to learn that the personal computers of a lot of people have what might be delicately termed "software sourced through alternative methods of distribution". With corporate managed desktops, everything is locked down so it's unlikely that a user would be able to download and install an application that they "sourced from bittorrent". A recent survey of corporate network internet traffic for large organizations (http://www.paloaltonetworks.com/researchcenter/2012/01/browser-based-filesharing-usage-work-or-entertainment/) found that a substantial percentage of traffic on corporate networks was people downloading not only movies and TV shows, but also applications. Photoshop being the most popular. It is interesting to speculate what happens when organizations encourage users to "bring their own devices (BYOD)" to use for work. It is not unreasonable to assume that if people are already using the company internet connection to download software like Photoshop to their locked-down desktops, they won't suddenly decide to stop doing that now that they are using their own laptops. Spend any time around debates on piracy and you'll hear that "pirating X is justifiable because X was too hard/complicated to acquire legally". I'm sure that organizations that have BYOD policies also have some sort of bureaucracy to ensure that these users are provisioned with software that allows them to do their job. I'm also sure that, as with any system, a certain number of users are going to do an end-run around the red tape and download the software that they feel they need to do their job from sites like MegaUpload's many clones. In the past people might download Photoshop from Megaupload, but they couldn't install it on their work computer because that computer was locked down. Now that they are using their own computers, there are no such restrictions. There are two big risks w...Read the rest of entry >>

: @orinthomas “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him” Cardinal Richelieu (1585-1642) News Corporation is now finding out why they should have had and implemented a good data retention and deletion policy. http://www.theage.com.au/technology/murdochs-new-headache-the-secrets-of-data-pool-3-20120130-1qoq0.html Some organizations have a packrat mentality when it comes to the retention of data. They keep it all rather than expunging it after it is no longer legally required. That seems like a great idea until clever lawyers start discovery proceedings. Usually those involve "everything you've got" rather than "everything you should legally have". So if you're meant to keep stuff for 7 years, a mechanism should be set up to automatically expunge data that is 7 years and 1 day old. Many organizations have approached retention laws with an approach of "just keep everything forever to be safe". While that's a noble goal, just remember Cardinal Richelieu's quote. If you don’t *need* to keep it, you *shouldn’t* keep it on the off chance that you *might* want it....Read the rest of entry >>

: @orinthomas This week anti-malware vendor Symantec announced the discovery of 13 different malware laden apps from 3 different publishers in the Android Market. Traditionally android malware authors publish an application that is simply a repackage of an existing application that also contains exploit code. With the size of the android market and many copycat applications already published, users choosing a “cheaper” version of an application can be in for a nasty surprise. The new Android Malware, named “Android.Counterclank” involves new rather than rebundled applications. This makes detection more difficult as while someone can make a fair guess that a much cheaper rebadged version of an existing application might be a trap, malware developers hadn’t gone to the effort of creating their own unique applications. In this case the applications were offered for free, but it won’t be long before malware authors charge money for these applications as people again assume that something that they pay for and which appears unique must be legit. The applications themselves request substantial privileges. The problem is that, like those users who disabled User Account Control on computers running Windows Vista and 7, the majority of users pay as much attention to request for privileges as they do to End User License Agreements. They click Yes because they want to get to the app. The only way to stop this sort of thing happening is for there to be a more rigorous attempt to curate the Android Market. As people put more of their personal and financial details into their mobile devices, there will be greater incentive for malware authors to target the dominant mobile platform. It’s reasonable to assume that while some malware apps have been discovered, there will be other malware laden apps sitting in the market that haven’t been found yet. You can find out more, including the list of problematic applications, at Symantec’s site: http://www.symantec.com/connect/fr/bl...Read the rest of entry >>

: @orinthomas There’s a joke I heard that went “making something more secure makes it more inconvenient, so the more inconvenient you make something, the more secure it gets.” The tension between IT departments and the Bring Your Own (BYO) Device crowd isn’t an issue of IT departments being drunk on their own power, forcing workers to use uncool computers that have all the style of purple shag pile carpet. It’s an issue of convenience versus security. BYO Device is a convenience issue.  And keeping a personally managed computer secure is inconvenient. That’s why, a year after Windows 7 was released, 25% of computers had out of date anti-malware protection. Source: http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-malware.aspx. The chance of a personally managed computer having out-of-date malware protection increases with the age of the computer. It’s hard to manage and monitor BYO Devices. A phone, tablet, laptop, or ultrabook could be working fine or completely infested with malware. Unless you have some sort of monitoring solution, it’s almost impossible to tell. An organization considering a BYO Device policy needs to take steps to ensure that security is maintained. That the devices connecting to your Exchange and SharePoint servers aren’t riddled with malware. In the long run, it might be simpler and cheaper to buy users flashy computers and manage them centrally rather than to hope that they’ll keep the security on their own devices up to snuff. -- My new book: Windows Server 2008 R2 Secrets. It is a book for experienced Windows administrators who are new to Windows Server 2008 R2 and don't need a lot of basic introductory level material: ...Read the rest of entry >>

: @orinthomas Security Vendor Palo Alto Networks monitored a week’s worth of traffic traversing the internet gateways of 1,636 businesses each of which had at least 2,500 users and published a report about it here: http://www.paloaltonetworks.com/researchcenter/2012/01/browser-based-filesharing-usage-work-or-entertainment/ Although a lot of the commentary on this report focused on the widespread utilization of the site Megaupload and BitTorrent on these large enterprise networks, the figure that surprised me was that TOR traffic was found on 13% of these networks. TOR (The Onion Router) is an application designed to allow anonymity online. It works by routing traffic through a network of servers spread across the world. This routing hides a user’s location from anyone interested in performing traffic analysis, functionally eliminating the likelihood of being able to track or block users accessing restricted sites. Given the BitTorrent traffic measurements and the usage of the site Megaupload, taken down in the last few days by governments with indictments related to copyright infringement (the report also details that the most commonly downloaded traffic from Megaupload on corporate networks were pirated applications including PhotoShop and popular games) it isn’t surprising that TOR utilization is present on corporate networks. But if your organization has a policy blocking access to certain sites (porn, social networking, warez, sports) as I imagine most of these enterprise networks do, you’d probably want to be pretty certain that people weren’t using something like TOR to bypass those policies. If an employee is downloading and watching porn on his computer at the office, it’s a sure bet he’ll be fired. But it is also a sure bet that you, as network administrator, are going to get some uncomfortable questions about how that access was possible when you’d been asked to ensure that it wasn’t. You can find out more about TOR at: http://en.wikipedia.org/wi...Read the rest of entry >>

: @orinthomas Twitter malware and spam uses a pretty straightforward attack vector. You get a twitter message from an account (usually with an attractive female avatar) telling you that you’ll get something awesome if you click on the helpfully provided link. Most people don’t click, because they realize that if a hot chick sends you a link on twitter claiming you’ll win a free iPad, it’s probably not legit. If you do visit the site at best you’ve been spammed. At worst it hosts malware that tries to infect your computer. Today’s twitter spam is quite crude. With the sort of twitter analytics provided by sites like Klout, I imagine that it will become a lot more sophisticated. Klout (and sites like it) allow you to quickly determine what a person’s interest are based on their twitter output. If you were trying to get someone to click on a link to infect them with malware, you’re going to be far more successful if you are hitting a topic that they are clearly interested in than a random promise of a popular product like an iPad. Random people do legitimately send you links about stuff you are interested in on twitter. If someone tweeted me with a link to a topic I’d just tweeted about, I’d be a lot more likely to click on it than I would a random link sent without context. So a belated security prediction – twitter link spam will get a lot more context aware in 2012 and it’s going to be difficult to make an eyeball determination whether someone you don’t know has sent you a link because they follow you and they think you will be interested in a topic, or they are just trying to spam you, possibly to a link that contains a browser exploit. -- My new book: Windows Server 2008 R2 Secrets. It is a book for experienced Windows administrators who are new to Windows Server 2008 R2 and don't need a lot of basic introductory level material: ...Read the rest of entry >>

: @orinthomas Windows 8 will include an improved version of the Windows Defender anti-malware software http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-malware.aspx This means that all computers running Windows 8 will, at least when they are first powered on and connect to the Internet, have up-to-date anti-malware protection. Microsoft has also indicated that if a third party anti-malware application is installed on a computer running Windows 8, Defender will essentially deprecate itself in favor of the alternative. As you can probably guess, When Windows 8 releases, OEMs will continue to provide trial subscriptions from anti-malware vendors with the machines that they ship. This happens because anti-malware vendors provide OEMs with compensation for including trial versions of their software with new machines. The study cited above found 12 months after Windows 7 was released, roughly 25% of computers running Windows 7 didn’t have up-to-date anti-malware software. This was down from almost 100% of computers having anti-malware software at RTM. The proposed hypothesis was that a year down the track, 25% of people had let their initial trial subscription expire and hadn’t got around to, didn’t realize that they needed to, or flat out didn’t intend to renew their subscription. The problem is that anti-malware software that doesn’t have up-to-date subscriptions is about as effective at protecting you from new strains of malware as gumboots are for protecting you from crocodiles. There is no real reason to believe that people running Windows 8 will be any more diligent about keeping their anti-malware subscription current than people running Windows 7. Which suggests that 12 months down the track, sometime in mid 2013, approximately 25% of computers running Windows 8 won’t have up-to-date anti-malware definitions. While Windows 8 will be able to detect when someone hasn’t updated their definitions for some time I suspec...Read the rest of entry >>

: @orinthomas It’s pretty difficult to get figures on is the number of computers out there that don’t have any form of anti-malware software deployed. For example, Microsoft’s data showed that approximately a year after Windows 7 was released, approximately 25% of computers running the operating system did not have current anti-malware protection. Getting data on computers running Windows XP (roughly 50% of all computers running Windows in the world) is difficult, but it is not unreasonable to suspect that the number that are not running up-to-date anti-malware protection is much higher than 25%. So even though Microsoft Security Essentials (MSE) and other free anti-malware solutions have been available for free for the entire period that Windows 7 has been available, 25% of people (as of October 2010, the numbers are likely much worse now source: http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-malware.aspx ) running Windows 7 either don’t have anti-malware software or don’t keep it up to date. MSE is pretty fire and forget – once it’s installed it pretty-much looks after itself. So why do at least a quarter of people running Windows 7 (and even more running previous versions of Windows) – either not install anti-malware software or let it get out of date? The reasons for this are complex. I updated my aunt’s Windows 7 computer at Christmas time and installed MSE because no anti-malware program was installed. It took her a while to understand that she didn’t have to pay Microsoft for the installation of MSE as in the past “she’d always had to pay for anti-virus software”.  Her computer was unprotected because she thought she had to pay for that protection and hadn’t got around to it. Most people are introduced to anti-malware software through the included subscription that comes with their computer from the OEM. They let that subscription expire because they aren’t aware of the alternatives. Enough people renew their subscriptions...Read the rest of entry >>

: @orinthomas According to the recent OOB Bulletin Q&A and Webcast, MS11-100 was pushed out because exploiting the vulnerability in a denial of service attack was relatively straightforward once details of the vulnerability were made public. MS11-100 does not address a vulnerability that could be used to directly trigger a remote code exploit. MS11-100 also fixes an elevation of privilege vulnerability and a spoofing vulnerability that were otherwise going to be address in January’s patch Tuesday. You can catch the entirety of the webcast with Pete Voss and Jonathan Ness here at: http://blogs.technet.com/b/msrc/archive/2011/12/30/december-2011-out-of-band-bulletin-release-q-amp-a-and-webcast.aspx...Read the rest of entry >>

: @orinthomas Internet Explorer 9 Tracking Protection is an updated form of InPrivate Filtering. InPrivate Filtering was a little known mode in IE 8 that allowed you to block third party websites once they had tracked you across a threshold number of sites during a browsing session. Tracking protection allows you to block third party analytic sites that track your browsing activity across multiple sites. You can handle tracking protection manually, or you can download an ad-on from a tracking list provider such as adblock plus. Using tracking lists isn’t something that will remove advertisements from Internet Explorer, but it will stop data being sent back to tracking providers about your browsing session. To enable Tracking Protection on IE9, open the Manage Add-Ons dialog box and select Tracking Protection. From here you can click on “Get A Tracking Protection List” online. You can have more than one Tracking Protection list enabled at any one time. By default you can’t block the display of all advertisements in Internet Explorer the way you can in FireFox through Add-Ons, but will never be able to do directly in Chrome because the creators of Chrome are of course in the business of selling Internet Advertising. Tracking Protection Lists are a neat way of blocking the most maliciously invasive sites on the web – they’re just something that most people never find out about because they don’t bother digging about in the Manage Add-Ons dialog box of IE -- My new book: Windows Server 2008 R2 Secrets. It is a book for experienced Windows administrators who are new to Windows Server 2008 R2 and don't need a lot of basic introductory level material: ...Read the rest of entry >>