Sunday, December 14, 2014

Lessons from Sony

There's been a big story lately on a hack of Sony Pictures. Terabytes of sensitive data were exfiltrated and posted publicly. There're several theories about the motivations behind this but I want to focus on the security practices. Let's be slow to throw rocks because this could be you.

I'm a big proponent of leveraging size to reduce cost. Sony, Sony Pictures' parent company, had consolidated security management into its global organization. At first that seems like a good idea.


But the result was that the global organization couldn't/didn't focus on local issues. The global team was failing to monitor 149 out of 869 of Sony Pictures systems in their scope. That's 17% of the systems unmonitored.


And the global organization's IT management was aware of this gap and didn't remedy it. Even with 17% of the systems being unmonitored, almost 200 security incidents were reported to the global organization between September 2013 and June 2014.


It is not known if the penetration leveraged any of these unmonitored systems but they certainly were vulnerable.


Lesson: Cost should not be a primary consideration in IT security decisions.


There were also several issues that emanated from the leaked data. In the data were hundreds of RSA SecurID tokens, Lotus Notes IDs, passwords, and certificates - many of them with the required passphrase. One of the certificates was a certificate Sony Pictures used to sign code. Its password was the filename.


Lesson: Lock up the family jewels.


One of the other firestorms has been the content of the leaked e-mails. Beside all the sensitive business discussions were some pretty damning dialogs concerning actors and actresses.


Lesson: Have a policy about what is allowed in e-mail and recurrency training on the necessity of this policy.


Finally, face up to the fact that your company will be hacked.


Articles that I used in this post:

     Gizmodo
     Forbes
     CSOonline
     TechTarget
     TechTarget

Sunday, December 07, 2014

Hara-Kiri

A random article in my feedly recently caught my eye. The headline was "H-P Moves to Retain Corporate Customers Ahead of Breakup." Well surely they would do that. So what? But I read it anyway.

(This article is in the Wall Street Journal and behind a paywall but if you Google that headline and click on the link from there you'll see the entire article.)

Stop now and go read it yourself.
The Palo Alto, Calif., company said it would offer versions of two computer server lines under H-P's Integrity moniker - Superdome and NonStop - that will be powered by Intel Corp.'s Xeon chips...
Whoa!

These Integrity systems now use Intel’s Itanium (formerly known as Merced) chips. They are pretty much the only users of these chips. At one time even Microsoft supported the Itanium chip.

This was in the era of system vendors differentiating themselves with their own chip architecture. HP previously had PA-RISC. DEC had Vax and Alpha. Sun had SPARC. IBM had PowerPC.

But this isn't a history lesson.

This is the end of purpose built processors. The Intel x86 has won (for now).

The Itaniums ran HP-UX, a version of Unix.
H-P is encouraging customers to move to the Linux operating system...
Antonio Neri, SVP and GM of H-P's enterprise group
Read that again. "H-P is encouraging customers to move to the Linux operating system..."

And on Intel X86 processors.

H-P has just committed hara-kiri.

They have gone from having a differentiating processor and operating system to being just another vendor of Linux and X86.

Sure they can put some lipstick on it with lots of processors and lots of salesmen but it'll still be just another Linux and X86 system.

It's a sad day.

Update: I shared this with the Unix manager at a Fortune 100 company. His comments:
I guess my take is this……. At least they actually documented a direction….. been struggling to figure out where they were headed for a couple of years now.

We’ll still shut them down as fast as we can though, just another O/S and vendor to manage…..
"Just another O/S and vendor to manage." Sad.

Sunday, November 30, 2014

Your Grandfather’s Technology

Recently one of my co-workers sent me an article on the mainframe. Now you gotta remember that I'm a mainframe guy. I was into mainframes when 256 kilobytes was a BIG system. I led organizations that bet the company on mainframes. And won. I love to write S/370 assembler!

The article got this right:
...the mainframe computer seems like your grandfather’s technology...
That's me. But...

This article is self serving. And, in my opinion, misleading.

Somehow CA Technologies, né Computer Associates, have gotten the Wired brand in the top right corner. But all of the references are CA Technologies.

A CA Technologies survey found "more than 75 percent of U.S. respondents and more than 80 percent of global respondents confirmed that the mainframe is a strategic or highly strategic part of their current and future IT plans."

But dig a little and you'll find that the survey respondents were "623 mainframe executives." Not exactly objective.

That many organizations are sticking with the mainframe doesn't surprise me. In my consulting role, I see over and over that organizations won't/can't invest enough to implement new open systems. I call these organizations "Dead Men Walking."

And CA Technologies got this right: "...some pundits say the mainframe can’t possibly remain relevant in the cloud computing environment, where vast amounts of computing power and storage are available for anyone to rent at relatively low cost."

And I don't think I'd have used this example: "mainframes are still the go-to technology platform when it comes to tackling big jobs, such as managing the database of a government agency..."

I can't figure where this statement comes from: "...mainframes are hard to beat when you’re trying to plan for unpredictable spikes in network usage." Unpredictable spikes are the nemesis of monolithic mainframe systems. Horizontally scalable systems are made for unpredictable loads.

While I don't disagree that mainframes will continue to be around for a while it won't be because they perform the job better. And the business risk of operating on a mainframe will continue until those businesses migrate or fail. Only time will tell which.

Sunday, November 23, 2014

More Lessons from the Cloud

There seems to be a recurring theme in my posts about outages in cloud services. While not trying to beat that dead horse there are certainly some lessons to be learned here.

Recently there was an 11 hour outage of Microsoft's Azure storage services.

Again users were hard pressed to get details on the outage as "the Service Health Dashboard and Azure Management Portal both rely on Azure."

I commend Microsoft for owning up to the root problem quickly and succinctly.
"Unfortunately the issue was widespread, since the update was made across most regions in a short period of time due to operational error, instead of following the standard protocol of applying production changes in incremental batches."
     http://azure.microsoft.com/blog/2014/11/19/update-on-azure-storage-service-interruption/
One of the comments summed it up best:
Overdependence.

So much tied into itself that there is no dependency tree - it is a pure network - thus issuing bad changes take down the entire net.

It can be a spectacular update process - minimum to no outage... but only if the updates work.

It also shows a major vulnerability. That central update can take down the entire company if it gets penetrated.

jessepollard
20 November, 2014 12:46
So, lessons...
  1. Diversify - Don't build your notification tool on top of what you're monitoring.
  2. Manage change - Don't let operational error bite you in the a**. Your execution has to be perfect. Users are unforgiving.
These don't apply just to cloud solutions. They apply just as much to your internal solutions.

My previous posts on this topic:

Storm Clouds
When Clouds Go Bump
When Clouds Go Thump
Lessons from the Cloud
When Clouds Go Bump Revisited
To Be Fair
To Be Fair, Again
To Be Fair, Again and Again

Update: Microsoft has published a thorough analysis of the problem with the corrective action. Good job Microsoft!

Sunday, November 16, 2014

Chrome Memory

Recently I noticed my laptop running slowly. Processor utilization was nil so I fired up Task Manager to see what the memory usage was.

OMG!


Chrome was using over 4GB of RAM just from the processes on the first screen.

Here's what Chrome's Task manager showed.


I was running Chrome 38.0.2125.111 m (64-bit).

That just ain't right.

Sunday, November 09, 2014

CryptoWhatever

One of our clients recently was impacted by CryptoWall. It's nasty.
Security researchers at Proofpoint warn that a new variant of CryptoWall recently spread through malicious banner ads. Surfers ran a risk of being faced with ransomware purely by visiting one of the impacted sites, which included various properties in the Yahoo!, Match.com, and AOL domains, among others. 
http://www.theregister.co.uk/2014/10/23/cryptowall_malvertising_outbreak/
This comment makes a good point that the ad networks should be called out for their participation.

This "drive-by" risk is very difficult to protect against. I believe that an ad-blocker will help mitigate this risk. I use Adblock Plus.

Lifehacker had a good article on all the things you can do with Adblock Plus. I also found that Adblock Plus has a page that will let you extend it.

Here're my options:


Adblock Plus is not without controversy. Read about it here.

Sunday, November 02, 2014

X-ACR

So you block third-party cookies?

CHECK

And you opt-in to Do Not Track?

CHECK

And you run Facebook in an incognito/private window?

CHECK

And you block ads with Adblock Plus?

CHECK

So you think your privacy is protected?

WRONG

AT&T and Verizon are selling you out on your mobile device.
Verizon and AT&T (are) rolling this out: they’re tagging their customers with unique codes that are visible to third parties
Oh, and they're charging the third parties for YOUR information.

You can see what they're doing by following this link on your mobile device.

Here's what my headers look like.


If you're on AT&T you can go here and opt-out. Good luck though. It didn't do anything for me.

A detailed explanation of how it works is here.

The Electronic Freedom Foundation has this to say:
ISPs are trusted connectors of users and they shouldn't be modifying our traffic on its way to the Internet...
Amen.