Saturday, September 13, 2014

Good on you Microsoft!

So as I began writing this, I sit and stare at my other computer "preparing" to configure Windows after the latest batch of Microsoft updates have been installed.  But I won't let that bother me as it hasn't blue screened...

So in a recent ZDNET article, Microsoft is being held in contempt-of-court for not handing over data, that is stored on servers in Ireland, to US Federal Prosecutors despite a warrant.  So those of us who have worked for/with companies that have an international present, in particularly within the EU, know that it isn't a simple matter of saying "oh we own the servers, so we have the final say in what we do with that data..."  Fortunately/Unfortunately (depending how you look at it), the EU privacy laws are much stronger than most other countries.  So the fortunate part of this is that it puts our wonderful "World Police" mentality into check.  People need to play nice around here, so if a foreign government is willing to work with us on something, then cool.  If not, guess you need to go a different route in the prosecution.

So if Microsoft said, "Sure buddy!  here you go, all the foreign internetz!"  Then they risk breaking the law in the foreign country.  So damned if you do, damned if you don't.  I once had to do some forensic work on a system in another country.  That branch of the company needed to have their export folks and the privacy law dogs review the system before allowing me to take a forensic image.  Even though we were the parent company, we still had to allow them to approve it.  So it is a sticky matter when dealing with these situations.  The "Unfortunate" part of all this is if one is doing a forensics investigation on something critical like a targeted attack, well time is everything!  Lawyer types are not known for their speedy response on a decision.

So what are your thoughts?  I'd be interested in hearing them.

Wednesday, September 10, 2014

It's Always the User's Fault...

Throughout our career as Information Technology/Security professionals, we have, at one point or another, blamed a user for the problem.  Granted there are some pretty good cases out there where it certainly is their fault; for example, using the CD tray as a coffee cup holder, or spilling soda in the keyboard then denying that they did it, and maybe attempting to fix the problem themselves and only making it worse.  Seriously, one time I was working for University and I had to come up and check on a staff member's computer.  I look at it and see a bunch of the power cables hanging out of the case.  I look at them and ask if they attempted to fix it themselves, and they straight up denied it.  So yeah we like to blame them for most, if not all of the problems.  In Security we are no better.

The debate is a hot one these past few weeks in lieu of the latest series of breaches, in particular the celebrity photos being leaked.  Now our first two comments on the matter are usually "You shouldn't take nude photos of yourself with your phone if you don't want it on the internet..." and "Why are you not using strong passwords!!?!?!?!"  To those of us in security, these things are just common sense.  For those not in this particular industry, they put trust in us to secure a system so they don't have to worry about such things.  This is a pretty logical assumption from someone NOT in the security profession.  But we all no better, don't we?  Contrary to popular belief, this is something that was not instantly built into our DNA.  It took years of experience to make us hardened pessimists of all things tech.  We have seen what happens when things don't work right.  We have worked for companies who have cut corners on a product just to get it out the door.  We all know security is looked upon as a cost center, not a revenue driver.  So if it comes down to making a product so simple to use that even the likes of the Kardashians can figure it out, then sometimes security is tossed out.

Can you make things extremely functional without skimping on security?  Certainly!  Is it easy?  Hell no!  But then if it was, many of us would not have jobs.  So how do we fix this?  After all it is a growing problem that doesn't seem to get better despite everything we tweet and post about.  I think first, the main stream media just needs to stop... seriously, they are horrible at covering these types of news stories.  Rather they need to get more REAL experts to comment and offer sensible recommendations.  The larger news outlets are getting better at it by bringing folks in like Dave Kennedy (Trusted Sec) or tapping Dan Kaminski.  But the smaller stations are really not there.  So if you know folks at your local news organizations, reach out to them and let them know you have the answers!  As for the companies who make these products, well the only way we can help is by taking on the difficult position of working for them and making things right.  Then again, they have to be willing to compensate such positions appropriately.

Ok, I think that is it.  Guess I'll shut up for now.  I have some letters to write to my local news outlets!

Story of an IT Pro: Volume 2 "The Choice"

If you haven't read Volume 1 "The Beginning", check it out now.

So fast forward from that time where I worked in K-12.  I had worked for the school system for a little over 4 years and it was time to move on.  For those that have been in IT for a while, you know that the jobs can get stale which can cause you to burn out.  I was there and it was time to go.  I took a job with a consulting company which offered a nice pay increase as well as possible training opportunities (later I found this to be exaggerated a bit).  The job was a love/like/hate relationship.  I loved the amount of experience I was getting from all the different environments and systems.  I loved that I had people above me that had much more knowledge than I did on a number of related topics.  I liked most of the people I worked with.  I hated the travel.  Now I had an idea that I would be on the road a bit more than a normal 9-5 with a standard commute, but it does drain you and can cause you to make some poor decisions in handling your job.  Now that being said, I still would not have traded that experience.  I think 5 years doing the same job in IT is a pretty good run.  Will I ever take on a job like this again? Certainly not, but I would still recommend that if you are new to the industry, a consulting job will be your best bet to gain a significant amount of experience.  Just do your research on the company before hand.  That is all I will say on the matter in this post.  I may right something in the future on the topic.

Back to the story... So I was getting burned out and InfoSec was just starting to become a hot topic, at least in my world.  We had one guy in the company that held a strong interest in the art of penetration testing.  Sadly, at this time, there was little call for it.  We mainly did vulnerability assessments since no one wanted to pay for the full penetration test and/or risk having their systems down if we succeeded in the test.  This field of study fascinated me.  So I began doing some heavy research in the topic.  I provisioned some systems in my home lab to play with and started using twitter so I can follow some pros.  I filled my iPhone with all sorts of security podcasts.  I was really into it.  After I learned that with good security, one can eliminate a number of the small day-to-day fires that Sys Admins have to deal with, I made a choice to pursue this as a career.  So I updated my professional development plan and let my manager know this is what I want to do.  And shortly after that, the lead engineer for Security Services gave his notice.  Well I still tried to take on more security related tasks but eventually, it was time to look for something new.

Remember that thing about burning out?  Due to a couple bad calls on my part, it was decided that the company and I were no longer a good fit.  I was able to take a nice semi-paid 3 week vacation before going back to consulting.  I took a job with another consulting company to pay the bills.  But it was not the job I was looking for.  If it wasn't clear, the choice I made was to pursue a career in Information Security.  I really didn't know what that meant exactly.  I did know what I didn't want to do, and that was to have to troubleshoot printer issues forever.  So I was determined to find the job that would support my new goals.  I wanted to find things before they became problems.  I wanted to prevent the common day-to-day fires caused by improper anti-virus software installs and poorly configured firewalls.  During that short stint with that other consulting company, I was presented an opportunity to take on a Security Administrator role in a local not-for-profit insurance company.  So I jumped at!  You have to do what is good for you.  So you find that new job, write your resignation letter, and part ways...

Continued in Volume 3: Career Advice

Monday, September 1, 2014

Story of an IT Pro: Volume 1 "The Beginning"

So this may or may not turn into a series of posts.  But just in case, let this be the first of that series.  15 years ago when I got into this business, I didn't really think I quite understood just how many different types of jobs existed out there in IT.  I mean, sure, I knew about the help desk and repair jobs (which is where I started).  I also new about the System Admins and Network/Tel-co groups.  And of course there were the developers.  At the time those were the folks I would curse out on a regular basis for their "crappy app that we were forced to use".   One more note about my past, I was a late bloomer to computers.  I didn't really get into them until college.  Sure we had one in the house  before the days of AOL, but mostly it was a glorified word processor with a couple of games.  We would occasionally use a modem (14.4 kbps baby!) and connect up to the various Bulletin Boards to download the Jolly Roger Cookbook and learn to make all sorts of things; which today would get us on a Terrorist Watch List.

I've always been decent at using tech and gadgets but never really thought of making it career.  I wanted to do something that would allow me to work outside.  Let's see in Kindergarten I was asked what I wanted to be when I grew up...  Raiders of the Lost Ark had just come out and I was fascinated with the adventures of Indiana Jones.  So naturally my answer was "Archaeologist!" (probably one of the hardest words I had to spell in Kindergarten).  Of course after I learned that you don't get to carry around a bull whip, sport a cool leather satchel, and shoot evil swordsman in the head, I pretty much lost interest in that.  Towards the end of high school I decided something in the environmental studies field would be fun, National Park ranger to be more specific.  Unfortunately Chem 100 in college sent me off that path and into Business, most specifically Management Information Systems.

VAX 11/780
Courtesy of
By then, though, I had already explored my way  around the University VAX system and I even took a job
int he Information Systems Computer Repair department.  Apparently I was a natural at this type of work.  The initial job was for an installer, which consisted of bringing a computer to an office and plugging it all in.  Configuration was either done before or after it was installed.  Of course I had to at least make sure it powered up and could access the network.  I did this job for about 2 weeks before I was promoted to a repair tech after discovering a network issue in one of the buildings and troubleshooting it down to a bad port in the network closet with the assistance from the Tel-co folks.  After that I had a number of different challenges which got me noticed by the Systems office.  I was promoted to a position with the guys who basically controlled the access to the network and all the systems that ran on it.  The new boss continued to challenge me with a number of tasks from migrating the university staff from the VAX email to Microsoft Exchange 5.5, to creating a back-end database and query for user look-ups so people can verify who they were before resetting a forgotten password.  By this time the only programming I had done was in the MIS Intro to Programming course.  So this was certainly one of my toughest projects.  I worked on that part and another MIS student created the front-end app the Computer lab used to let students change their passwords.  I also re-purposed the app so the help desk could verify staff when they called in.  In hindsight, I should have kept learning more about the developer side of IT back then, considering what I do now.

Eventually I had to start prepping for the real world.  Luckily I had a good amount of experience from working at the university.  I was able to take a Co-operative education job doing Systems Admin work in a Novell/Windows environment (with a little bit of Lotus Notes thrown in for good measure), which then lead me back the education world managing the network and systems for a K-12 environment.  So this is all leading somewhere, honest!  Make a note of the comment I made about developers earlier in the story...

Continue in Volume 2 - "The Decision"