E-mail: Does auto-complete equal auto-disclosure?

Sometimes conveniences become vulnerabilities, and most often people are still the weakest link in information security.  So much of the security realm tends to focus tightly on automation to the detriment or exclusion of education that we attempt to solve basic human behavior problems in software.  E-mail is still the most prevalent avenue of delivery for inbound threats, and it is undoubtedly the most common avenue of data loss.  But how far has security awareness training gotten us?  And are we adequately shoring up weaknesses, or just reaching for the latest elixirs? (more…)

 

NTP Time Synchronization with XenServer 5

NTP troubleshooting can involve checking configuration settings in ntp.conf, basic network connectivity and firewalls. Sometimes the problem is immediately apparent, but not always. While attempting to set up one XenServer 5 system as the NTP server for others (rather than having all of them contacting NTP servers on the Internet, and writing broader firewall rules to support that), I bumped into the following problem.

1. The client system can ping the NTP server.
2. No network switch is imposing an ACL, nor is there a firewall between the two systems.
3. A diagnostic check with ntpq -p reveals the following:

ntpq: read: No route to host

(more…)

 

Debian/Ubuntu: Updating System V style init script links

There are a number of methods for managing the System V style init script links in Debian and Debian-derived Linux distributions, such as Ubuntu.  Using the built-in update-rc.d is perhaps the most common (look here for a couple of other tools).   This is somewhat analogous to chkconfig on Red Hat based distributions. (more…)

 

DNS: new trojan targets your LAN

DNS has been a source of concern for security practitioners for years.  I think of the domain name system as the language center of the Internet brain.  Without it, we’re reduced to pantomime and smoke signals.  The major news of last year was the practical method of poisoning DNS caches of remote servers discovered by Dan Kaminsky. Most recently, we’ve seen news of a trojan that seems to be a variant of Trojan.Flush.M, first seen last December, that targets your entire LAN by leveraging another commonly-used protocol.
(more…)

 

Exchange: Who has mobile handsets using ActiveSync?

Microsoft Exchange 2007 was a big step forward, but some common-sense settings are just not possible!  To “fail safe” one would expect that some mailbox features could be globally disabled.  A prime example would be ActiveSync, which allows Windows Mobile handsets (or those licensing the technology, i.e. the Apple iPhone) to synchronize e-mail, calendar, contacts, and tasks with your Exchange server.  Rather than having mailboxes created with this feature disabled, it is enabled! (more…)

 

Active Directory: Automated password expiration warnings

The Microsoft Management Console provides plugins for managing many aspects of Active Directory, including user accounts.  The Active Directory Users and Computers MMC plugin allows you to view and manage user accounts, but there are some things you cannot discover, such as last logon time or when a user’s password will expire (if at all).  Password expiration can be particularly vexing for road warriors or those who use non-Windows platforms but still rely on ADS for authentication to numerous corporate resources.  Windows users have two possible means of being warned, and non-Windows users are just out of luck! (more…)

 

Data Encryption for Mac OSX: Sparse images with enterprise recovery

The use of data encryption is quickly becoming a mandated component of corporate security policies, and especially so for mobile devices.  It is difficult to get exact figures for the number of lost or stolen laptops, much less USB drives, but no one wants to be in the position of having to disclose the loss of important information. (more…)

 

Password Safes: Everyone should use one!

All of us have credentials for a variety of web sites, e-mail accounts, not to mention other sensitive personal information.  Passwords alone can multiple like rabbits if you are careful not to reuse them (which is strongly advised).  The temptation to record passwords, and other sensitive information, in an insecure fashion is strong.  The proverbial sticky note under the keyboard is only one example.  But what should you do? (more…)

 

Reverse Proxy: Why and how with Apache

A proxy is a gateway service for users to access the Internet.  This might be implemented to enforce security policy or simply as a performance enhancement since proxies often times are configured to cache fetched pages, increasing responsiveness for subsequent requests for the same content.  But what is a reverse proxy?  A reverse proxy acts as a gateway to internal servers.  It can be used to cache pages for performance reasons, just as with a forward proxy.  In my opinion, one of the most interesting reasons to use a reverse proxy is to provide an alternate or supplemental means of authenticated access to internal web-based services behind a firewall.  The configuration example provided here uses Apache and the mod_proxy module.  Diversification of access methods for road warriors and remote workers helps ensure that services are available under a variety of circumstances, some of which may preclude traditional IPsec VPN access, for example.  This can be a simple alternative to SSL-based VPNs, such as OpenVPN or SSL-Explorer. (more…)

 

VS 2008 Does Not Launch After Install

I spent several hours working to get Visual Studio 2008 to function properly.  Following an apparently successful installation on Windows XP Professional SP3, Visual Studio 2008 refused to start.  The splash screen would appear briefly, and then poof, nothing at all.  (more…)