Why are people continuing to let this happen?
Just yesterday I saw another one pop up that was similar.
Enable 2FA on IOS devices folks.
https://support.apple.com/en-us/HT204915
Derp happens...
My thoughts on AppSec
Wednesday, August 3, 2016
Thursday, July 7, 2016
Thoughts on Hillary Clinton Private Server
As some of you may know I am not exactly a Hillary fan. It's not because of political bias or because I vote for a single party (I Vote bipartisan). It's a matter of people that seem to be to big for Jail.
I will remind people the Chairman that was grilling Comey today uses a gmail address for official business.
At one point during the hearing other members of congress challenged each other to not use personal email addresses to conduct business. At that point when the comment was made I turned off my laptop thinking we are really screwed when it comes to some people that are supposed to be protecting the countries information assets.
Classified vs. Non-Classified
Classified emails are simply marked with a header labeled (C). What escapes me is there seems to be no data leak protection on email sent to external email addresses that are marked as classified.
"In total, the investigation found 110 emails in 52 email chains containing information that was classified at the time it was sent or received. Eight chains contained top secret information, the highest level of classification, 36 chains contained secret information, and the remaining eight contained confidential information. Most of these emails, however, did not contain markings clearly delineating their status."
We all should wonder how many classified emails are leaving the security of their systems unchecked?
But I wanted to stop and make a really important argument today that Hillary isn't the only one that used a personal email address. The committee hearing can be seen below: (Warning it is 4 hours long)
I will remind people the Chairman that was grilling Comey today uses a gmail address for official business.
At one point during the hearing other members of congress challenged each other to not use personal email addresses to conduct business. At that point when the comment was made I turned off my laptop thinking we are really screwed when it comes to some people that are supposed to be protecting the countries information assets.
Classified vs. Non-Classified
Classified emails are simply marked with a header labeled (C). What escapes me is there seems to be no data leak protection on email sent to external email addresses that are marked as classified.
"In total, the investigation found 110 emails in 52 email chains containing information that was classified at the time it was sent or received. Eight chains contained top secret information, the highest level of classification, 36 chains contained secret information, and the remaining eight contained confidential information. Most of these emails, however, did not contain markings clearly delineating their status."
We all should wonder how many classified emails are leaving the security of their systems unchecked?
Saturday, January 30, 2016
Chromebook Security:A real life story
I've never taken the time to blog about anything personal or work related for that as both of those things I would rather keep private. But this story is just to good to not tell. Back in late November my mom asked for a laptop for Christmas. My parents were leaving on a long four month vacation and she wanted something that she could do video conferencing on for family back home. After asking what all she needed to do with it I opted to get a Chromebook for her.
So I configured it appropriately with an EFF Guide. Which is located here:
https://www.eff.org/deeplinks/2015/11/guide-chromebook-privacy-settings-students
and here:
https://www.eff.org/deeplinks/2015/11/guide-google-account-privacy-settings-students
And was literally all set within a matter of a few minutes.
Here is where things got fun. So I chatted with both my parents over google hangouts one evening and my mom oddly enough said she had to call a company because she was a pop up displayed she was infected with a virus. At first I was taken back a little.... and after I had her repeat the statement she said yes it was infected with a virus so she called the number on the screen. A popup similar to this:
The next thing I asked was what did they say and I shit you not word for word in a heavy thick Indian accent. "Well since you have a chromebook there is nothing I can do. Just throw it in the trash and get a real computer."
Then the guy hung up. My parents said they just powered the laptop down and the message went away. They now know to call me instead of something like this again.
I am now a believer in Chromebook security. Especially when something stupid like this happens.
So I configured it appropriately with an EFF Guide. Which is located here:
https://www.eff.org/deeplinks/2015/11/guide-chromebook-privacy-settings-students
and here:
https://www.eff.org/deeplinks/2015/11/guide-google-account-privacy-settings-students
And was literally all set within a matter of a few minutes.
Here is where things got fun. So I chatted with both my parents over google hangouts one evening and my mom oddly enough said she had to call a company because she was a pop up displayed she was infected with a virus. At first I was taken back a little.... and after I had her repeat the statement she said yes it was infected with a virus so she called the number on the screen. A popup similar to this:
The next thing I asked was what did they say and I shit you not word for word in a heavy thick Indian accent. "Well since you have a chromebook there is nothing I can do. Just throw it in the trash and get a real computer."
Then the guy hung up. My parents said they just powered the laptop down and the message went away. They now know to call me instead of something like this again.
I am now a believer in Chromebook security. Especially when something stupid like this happens.
Friday, January 22, 2016
So WTF Google?
Update: My Chrome browser has been updated this evening. No alerts about my centos7 systems no longer being supported. All is right again with the world.
I run a small number of Cent OS 7 desktops in a virtualized environment. After updating to the latest version of google chrome I was met with a nasty message that my Linux system will no longer be supported.
So wtf google?
I'm running a current centos 7 64 bit Linux workstation and you are dumping support for it?
So I am taking to google's support page and I take a look at what is supported.
Pushing chrome support out of centos and RHEL seems like a mistake for corporate customers. I can understand discontinuing support for 32 bit Linux. But a current major distro that is 64 bit.... Hopefully someone at google will see this after I tweet this for some clarification.
I run a small number of Cent OS 7 desktops in a virtualized environment. After updating to the latest version of google chrome I was met with a nasty message that my Linux system will no longer be supported.
So wtf google?
I'm running a current centos 7 64 bit Linux workstation and you are dumping support for it?
So I am taking to google's support page and I take a look at what is supported.
Pushing chrome support out of centos and RHEL seems like a mistake for corporate customers. I can understand discontinuing support for 32 bit Linux. But a current major distro that is 64 bit.... Hopefully someone at google will see this after I tweet this for some clarification.
Thursday, January 14, 2016
Some NSA docs for Infosec use (Non Classified)
Some NSA Docs from IA resources I have used or at least get suggested guidance on.
Recommendations for Configuring Adobe Acrobat Reader XI in a Windows Environment
https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
Reducing the Effectiveness of Pass-the_Hash
https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf
Deploying and Securing Google Chrome in a Windows Enterprise
https://www.nsa.gov/ia/_files/app/Deploying_and_Securing_Google_Chrome_in_a_Windows_Enterprise.pdf
NSA Methodology for Adversary Obstruction
https://www.nsa.gov/ia/_files/factsheets/NSA_Methodology_for_Adversary_Obstruction.pdf
Defensive Best Practices for Destructive Malware
https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
Data at rest guidance
https://www.nsa.gov/ia/_files/DAR_CP_v2.0.pdf
Recommendations for Configuring Adobe Acrobat Reader XI in a Windows Environment
https://www.nsa.gov/ia/_files/app/Recommendations_for_Configuring_Adobe_Acrobat_Reader_XI_in_a_Windows_Environment.pdf
Reducing the Effectiveness of Pass-the_Hash
https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf
Deploying and Securing Google Chrome in a Windows Enterprise
https://www.nsa.gov/ia/_files/app/Deploying_and_Securing_Google_Chrome_in_a_Windows_Enterprise.pdf
NSA Methodology for Adversary Obstruction
https://www.nsa.gov/ia/_files/factsheets/NSA_Methodology_for_Adversary_Obstruction.pdf
Defensive Best Practices for Destructive Malware
https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
Data at rest guidance
https://www.nsa.gov/ia/_files/DAR_CP_v2.0.pdf
Sunday, January 10, 2016
Guidance for Protected Browsing
This is some best practice guidance for google chrome. This should be done first before any browsing is to be done.
Works best if you compartmentalize your browsing through a virtual machine or read only cd media.
Virtualbox is free for personal use - https://www.virtualbox.org/wiki/Downloads
EFF guide to chromebook privacy
https://www.eff.org/deeplinks/2015/11/guide-chromebook-privacy-settings-students
@attrc HowTo: Privacy & Security Conscious Browsing
https://gist.github.com/atcuno/3425484ac5cce5298932
Use the following Chrome Add on's as a minimum
HTTPS Everywhere
Privacy Badger
Ublock Origin
Use a VPN before browsing use
Under Chrome Content settings set plugins to do this:
If you want to get into hardcore mode go to chrome://plugins
Disable adobe flash player
You may find your browsing experience doesn't require flash for daily use.
Use a chromebook and do all the above. Chromebooks work great because users can install extensions only. Executables and such won't run on chromebooks. The risk of malware is low.
Compartmentalize
Compartmentalize
Compartmentalize
I can't stress it enough when it comes to your personal data.
Works best if you compartmentalize your browsing through a virtual machine or read only cd media.
Virtualbox is free for personal use - https://www.virtualbox.org/wiki/Downloads
EFF guide to chromebook privacy
https://www.eff.org/deeplinks/2015/11/guide-chromebook-privacy-settings-students
@attrc HowTo: Privacy & Security Conscious Browsing
https://gist.github.com/atcuno/3425484ac5cce5298932
Use the following Chrome Add on's as a minimum
HTTPS Everywhere
Privacy Badger
Ublock Origin
Use a VPN before browsing use
Under Chrome Content settings set plugins to do this:
If you want to get into hardcore mode go to chrome://plugins
Disable adobe flash player
You may find your browsing experience doesn't require flash for daily use.
Use a chromebook and do all the above. Chromebooks work great because users can install extensions only. Executables and such won't run on chromebooks. The risk of malware is low.
Compartmentalize
Compartmentalize
Compartmentalize
I can't stress it enough when it comes to your personal data.
Monday, January 4, 2016
Windows 10 Security Guidance for Enterprise users
Update security compliance direct from Microsoft. As of 1-22-16.
Security baseline for Windows 10 (build 10240) – FINAL/Update 1-22-16
http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update.aspx
Security baseline for Windows 10 (v1511, "Threshold 2") -- FINAL 1-22-16
http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1511-quot-threshold-2-quot-final.aspx
If you want to compare GPO sets you should look at this tool called Microsoft Policy Analyzer
http://blogs.technet.com/b/secguide/archive/2016/01/22/new-tool-policy-analyzer.aspx
LGPO.EXE Tool (Automates the management of local group policy. Best for non domain joined computers)
http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx
For more Microsoft Security guidance you can follow their blog.
http://blogs.technet.com/b/secguide/
Security baseline for Windows 10 (build 10240) – FINAL/Update 1-22-16
http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update.aspx
Security baseline for Windows 10 (v1511, "Threshold 2") -- FINAL 1-22-16
http://blogs.technet.com/b/secguide/archive/2016/01/22/security-baseline-for-windows-10-v1511-quot-threshold-2-quot-final.aspx
If you want to compare GPO sets you should look at this tool called Microsoft Policy Analyzer
http://blogs.technet.com/b/secguide/archive/2016/01/22/new-tool-policy-analyzer.aspx
LGPO.EXE Tool (Automates the management of local group policy. Best for non domain joined computers)
http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx
For more Microsoft Security guidance you can follow their blog.
http://blogs.technet.com/b/secguide/
Subscribe to:
Posts (Atom)