9/11 Vigilance

9-11 VigilanceOn 9/11/2001, I was driving to Muskogee to implement Windows Terminal Services for the Veterans Administration Medical Center. My CFO called my cell and said Tower I had collapsed from a plane crash. During college, she was a nanny for a wealthy family in New York City. My mother’s family was from the Empire State and I often spent summers seeing the sites in NYC. Both of us were very familiar with the landmark and I really couldn’t process what she was saying.

Upon arriving at the hospital, the facility was in lockdown. Instinctively, I knew then that many of our freedoms had been taken. All vendors were released except HP and Matrixforce. It wasn’t an honor, but a matter of security expertise and all I really wanted was to go home too.

As the years continue to pass, Americans should be vigilant about preventing technology threats on 9/11. While the mainstream press covers a few sparse 9/11 tributes, we must especially not become complacent today:

  1. Remind staff to be weary of virus and phishing emails.
  2. Mass e-mails about 9/11 should NOT be opened or forwarded.
  3. Don’t provide passwords or sensitive information to unknown persons.
  4. Be skeptical of Internet posts and unknown websites.
  5. Technology pranks, jokes, or surprise audits are especially discouraged on this day.
  6. Pay close attention and report suspicious utility, communication, or police vehicles.

It’s important to remember those that died and reflect on the changes we have endured. Let’s be vigilant, but live without fear as our way of life is what terrorists seek to destroy.

SharePoint Online Prevents Employee Theft

SharePoint 2013 logoIt’s a regular occurrence. Before leaving, the ex-salesman copied the customer list spreadsheet and sales pipeline. A key employee took off with major contracts. Somehow most employees know how much management makes. That rogue group of staff steals all of the standard procedure files and starts a competing business.

If someone wants to hurt you or steal from you, they likely will. All that you can do is take reasonable precautions and then determine what you can prove and are willing to spend versus the damages. While stealing is a criminal act, you must have clear proof. The reality is that the authorities are far too busy dealing with drugs and civil court cases are difficult to win, while paying attorneys well.

After a data breach, customers get serious and the discussion quickly turns to key-loggers tracking every employee’s move and camera systems continuously scanning all parts of the offices. This approach is expensive, often leads to poor employee morale, someone has to maintain the systems, and management doesn’t have time to review the reports.

A better recommendation is SharePoint Online instead:

  • File shares are converted to sites with specific permissions by user group. If you’re not part of the permitted group, you can’t even see the site.
  • IT doesn’t need to be an owner or have permission to any of the files on a site. Unfortunately, most data breaches are by administrators.
  • User name and date/time are recorded when files are edited. This little feature is very difficult to determine on most systems, even with third-party software.
  • Previous versions may be enabled, along with follow alerts e-mailed to you on any access of critical files. So in addition to the site recycle bin, you’re much more able to recover from simple user errors as well as knowing who affected what files.

For nominal cost, your file security is light-years ahead of that old file server. See for yourself by trying the Office 365 free trial for 30 days.

Java Fades to Oblivion

Java Logo Gray on Black BackgroundCNN didn’t really scoop too many people already in the know on January 11, 2013 about the problems with Java. Things for Oracle just go from bad to worse, with the news today that the Java Patch Contains New Holes. Keep Java disabled, because the manufacturers who use Java are scrambling to move away and distance themselves from the numerous bugs and customer complaints.

I have to hand it to Oracle’s eccentric owner Larry Ellison. Seeing that Microsoft SQL would totally dominate the Cadillac Oracle database in processing power for a fraction of the cost and requirements, he looked at the reason why and started the new offering of Java to keep Oracle relevant. Ellison seized on the concept of Microsoft starting out offering development tools and had tens of millions of developers, which is a huge pillar of strength and endurance for a software publisher. It would be Open Source and run on billions of devices with a large following from the developer community.

In present day, Java does run on billions of devices albeit as a forgotten afterthought. The precious numbers of developers dwindle each year and is now less that 8 million from a peak of 25 million. However, the real reason for Oracle’s problem is the fraud that is Open Source. While useful in the hands of select scientist, things like Linux and Java are mostly the tools of terrorists. The platform is simply meant for dissemination and manipulation. Any Open Source that is successful quickly becomes licensed, deemed proprietary, and is definitely not free or open.

While Oracle smirks at Microsoft vulnerabilities from 20 years ago, they’ve failed to recognize that they are another manufacturer like Apple who is 10 years behind in security. Nobody wants the malware of a toolbar, if forced to install Java. Java updates rarely work, are the bane of administrators for security audits, and it’s a well guarded secret that you must go to an online tool on Oracle’s website to fix update problems.

Larry should retire to the island and live off the residuals from the Oracle RDBMS. No one can argue with simply using HTML 5 instead of any vendor’s bloatware like Java. Stop using Java and avoid any manufacturers or sites that use it. As Java fades to black, the world will be a safer and simpler place.

Kill Web Form SPAM

Kill SPAMSomewhere in Tehran, the terrorist sits in the dark staring at the glow of a large CRT circa 2002 in a nondescript rundown building. Even though it’s a mild 70F outside, he still wears the dirty lime green t-shirt and faded desert camouflage fatigues. His wife patrols the streets in a black chador from a military jeep brandishing an AK-47. It may be exotic Persia, but poverty reigns and he idly remembers something about a new thief to be hung from the crane down the street today.

The monitor is so large that there is barely enough room for the keyboard and a large ashtray overflowing with Marlboro cigarette butts. He knows more than enough to be dangerous, but is actually running a nearly 20-year-old script to connect directly to a website script code that e-mails bogus contact information, along with some gibberish comments sprinkled with links to ads or malicious sites. A third of the time, Johnny Jihad has a 10-year-old beauty of a program that can actually traverse web forms and submit the fake information. Since the posts only go to the website owners, the goal is simply to harass infidels and clog the networks of web hosts and ISPs. If the pampered and morally corrupt enemies are stupid enough to also carbon the supposed prospect, then stolen lists of actual e-mail addresses may be used for the open relay. If just half of 1% of the links are clicked from the millions of messages sent every day, the ad revenue balloons to over $20,000 per day. Also daily, another one thousand or so personal computers are compromised to gather sensitive information or enslave in other zombie denial of service attacks. The favorites are currently Macs and iPhones/iPads with the arrogance of no thought toward security while trojans gather more private information in the last year than in the previous 30.

Can you tell I just saw Argo? All fiction aside, web form SPAM is becoming a hassle like our airport security and I wanted to share my experience and hopefully help others. Nearly 5 years ago, we moved several of our websites to Network Solutions – no plug as it could have been anybody such as GoDaddy or whoever, but our external DNS was managed there and it made sense. For the 5 bucks per month with 300GB of space, you just could no longer justify a server with the surrounding maintenance, upgrades, and security issues. Somewhere along the way we created a web form on our contact page and it remained largely intact when we converted all sites to HTML 5 at the beginning of this year.

Unless you purchase premium web development packages, Network Solutions is fairly secretive about their SMTP server and only provides you a limit of 5 standard CGI scripts from like 1989 for web forms. The look definitely seems from that era and we took the relevant code and placed it in a modern contact page. An old-school CGI script was required, but no account names or passwords were listed and who would take the time to SPAM just us through a contact form right? Well, the SPAM started a couple of months ago at first just a few a day. Then to our other sites and we began to get dozens from each site per day.

For some, you’re probably thinking “You idiot. It’s called Captcha”. The problem with Captcha is that it is a poor solution and a deterrent for users. No one can really read the funny looking numbers and letters to type them back. If you click on a Captch audio link, you just hear some alien animal noises from another dimension between the thumping of broken heavy metal speakers. So we added a pulldown field that bots couldn’t possibly select. We quickly found that if we changed the fields, the terrorist was simply accessing the script directly and could send any fields that he chose.

As usually happens, the world has changed and what was formerly hardly ever used is now seen as the norm to enter information in a landing page for a give-get exchange for an eBook or similar giveaway. To get in the ballgame and not be limited to 5 forms, we decided to convert our contact pages from HTML 5 to ASPX  and utilize validation instead of Captcha. The short story is that Network Solutions uses no authentication and localhost for SMTP. We deal with organizations and not consumers which is why we qualify a person’s role, want to know how many employees, and review the website. Formatting must be correct for things like phone or e-mail and you’ve got to select something from pulldown lists and cannot simply hit enter. If necessary, we can also add dynamic simple SPAM questions and answers like “Is ice hot or cold?” to further deter bots. After the form is posted, we acknowledge and thank you for the submittal, along with offering the ability to follow on social media. The only way to return to the form is by clicking the Reset button.

WARNING ALL TERRORISTS: I don’t care if you’re Johnny Jihad, Red Menace, Mafia, or Hillbilly Joe that can’t get enough of Honey Boo Boo. We also get your IP address. Don’t motivate us further. Spoof all you like. We’ll find you. Oh don’t worry as we won’t download the code to scramble hard drives and then pop BIOS to brick your machines. We’ll watch, listen, and learn. The authorities and relevant commercial entities will be quite pleased with the information. Getting outted on Reddit or Facebook will also help your cause.

This solution assumes ASPX with VB format and is specific to Network Solutions. While not shown in this example, if you must supply an e-mail address and password for an SMTP server, put that information in web.config as it cannot be viewed like other pages. Change formatting and fields as desired. Enjoy!

CSS:

/* Styles for Contact */
#contact-l {
width: 450px;
margin: 0;
padding: 0;
float: left;
}
input {
margin: 5px;
width: 180px;
}
select {
margin: 6px;
width: 185px;
}
textarea {
width: 300px;
height: 150px;
margin-left: 5px;
}
.button {
width: 100px;
margin-top:10px;
margin-left: 150px;
}
.label {
display: block;
width: 70px;
float: left;
text-align: right;
margin-right: 10px;
margin-top: 5px;
}
#contact-l form {
padding: 10px;
margin: 10px;
width: 430px;
}

Form code example from CONTACT.ASPX:

<div id=”contact-l”>

<form runat=”server”>
<asp:MultiView ID=”MyForm” runat=”server” ActiveViewIndex=”0″>     

<asp:TextBox id=”Company” runat=”server” TabIndex=”1″>

<asp:TextBox id=”Name” runat=”server” TabIndex=”2″>

<asp:TextBox id=”Phone” runat=”server” TabIndex=”3″>

<asp:TextBox id=”Email” runat=”server” TabIndex=”4″>

<asp:Label id=”websitelbl” cssclass=”label” runat=”server” Text=”Website”></asp:Label><asp:TextBox id=”Website” runat=”server” TabIndex=”5″></asp:TextBox><asp:RegularExpressionValidator id=”RegularExpressionValidator3″ ControlToValidate=”Website” runat=”server” ErrorMessage=”Invalid” ValidationExpression=”([\w-]+\.)+[\w-]+(/[\w- ./?%&amp;=]*)?”></asp:RegularExpressionValidator><br>

<asp:DropDownList id=”Role” runat=”server” TabIndex=”6″>
<asp:ListItem>- Please Select -
<asp:ListItem Value=”CEO/President”>
<asp:ListItem Value=”Accounting/CFO”>
<asp:ListItem Value=”Operations/Administration”>
<asp:ListItem Value=”Sales/Marketing”>
DropDownList>

<asp:DropDownList id=”Employees” runat=”server” TabIndex=”7″>
<asp:ListItem>- Please Select -</asp:ListItem>
<asp:ListItem Value=”1 – 10″></asp:ListItem>
<asp:ListItem Value=”11 – 25″></asp:ListItem>
<asp:ListItem Value=”26 – 250″></asp:ListItem>
<asp:ListItem Value=”251 – 1,000″></asp:ListItem>
<asp:ListItem Value=”1,000+”></asp:ListItem>
</asp:DropDownList>    <asp:RequiredFieldValidator id=”RequiredFieldValidator7″ runat=”server” ControlToValidate=”Employees” ErrorMessage=”Required” InitialValue=”- Please Select -”></asp:RequiredFieldValidator><br>

<asp:Label id=”commentlbl” runat=”server” cssclass=”label” Text=”Comment”></asp:Label><asp:TextBox id=”Comment” runat=”server” columns=”45″ rows=”10″ TabIndex=”8″ TextMode=”MultiLine”></asp:TextBox><asp:RequiredFieldValidator id=”RequiredFieldValidator5″ runat=”server” ControlToValidate=”Comment” ErrorMessage=”Required”></asp:RequiredFieldValidator><br>

<asp:ValidationSummary ID=”ValidationSummary1″ runat=”server” CssClass=”ValidateMessage” ForeColor=”” ShowMessageBox=”True” ShowSummary=”False” />

<asp:View ID=”FormConfirmationMessage” runat=”server”><p>Your message has been sent. <strong>Thank you</strong> for contacting us. View <a href=”terms.htm”>terms</a>  for our privacy policy.</p><p>Keep up with the latest business trends and technology:</p>
<ul><li><p><a href=”http://blog.matrixforce.com” target=”_blank”>Managed Services Blog</a></p></li>
<li><p><a href=”http://twitter.com/matrixforce” target=”_blank”> Matrixforce Twitter Feed</a></p></li>
<li><p><a href=”http://www.linkedin.com/company/matrixforce-corporation” target=”_blank”>Matrixforce LinkedIn Profile</a></p></li>
<li><p><a href=”http://www.youtube.com/user/matrixforce” target=”_blank”>Matrixforce YouTube Channel</a></p></li></ul>    <asp:Button id=”Reset” cssclass=”button” runat=”server” OnClick=”ResetFormClick” Text=”Reset” />    </asp:View>

<asp:View ID=”FormErrorMessage” runat=”server”>    Due to technical difficulty, your message may NOT have been sent.</asp:View>

<asp:View ID=”FormSpamMessage” runat=”server”>    You did not correctly answer the anti-spam question. Please go back and try again.</asp:View>

</asp:MultiView>
</form>

<script runat=”server”>
Protected Sub ResetFormClick(ByVal sender As Object, ByVal e As System.EventArgs)
Response.Redirect(“contact.aspx”)
End Sub
</script>

<script runat=”server”>
Protected Sub SubmitFormClick(ByVal sender As Object, ByVal e As System.EventArgs)
If Not Page.IsValid Then Exit Sub
Dim SendResultsTo As String = “lead@virtualcio.com
Dim smtpMailServer As String = “localhost”
Dim MailSubject As String = “Virtual CIO Contact Results”
Try
Dim FromEmail As String = “noreply@networksolutions.com
Dim msgBody As StringBuilder = New StringBuilder()
For Each c As Control In Me.FormContent.Controls
Select Case c.GetType.ToString
Case “System.Web.UI.WebControls.TextBox”
Dim txt As TextBox = CType(c, TextBox)
msgBody.Append(txt.ID & “: ” & txt.Text & vbCrLf & vbCrLf)
Case “System.Web.UI.WebControls.CheckBox”
Dim chk As CheckBox = CType(c, CheckBox)
msgBody.Append(chk.ID & “: ” & chk.Checked & vbCrLf & vbCrLf)
Case “System.Web.UI.WebControls.RadioButton”
Dim rad As RadioButton = CType(c, RadioButton)
msgBody.Append(rad.ID & “: ” & rad.Checked & vbCrLf & vbCrLf)
Case “System.Web.UI.WebControls.DropDownList”
Dim ddl As DropDownList = CType(c, DropDownList)
msgBody.Append(ddl.ID & “: ” & ddl.SelectedValue & vbCrLf & vbCrLf)
End Select
Next
msgBody.AppendLine()
msgBody.Append(“Browser: ” & Request.UserAgent & vbCrLf & vbCrLf)              msgBody.Append(“IP Address: ” & Request.UserHostAddress & vbCrLf & vbCrLf)
msgBody.Append(“Server Date & Time: ” & DateTime.Now & vbCrLf & vbCrLf)
Dim myMessage As System.Net.Mail.MailMessage = New System.Net.Mail.MailMessage()
myMessage.To.Add(SendResultsTo)
myMessage.From = New System.Net.Mail.MailAddress(FromEmail)              myMessage.Subject = MailSubject
myMessage.Body = msgBody.ToString
myMessage.IsBodyHtml = False
Dim MailObj As New System.Net.Mail.SmtpClient(smtpMailServer)
MailObj.UseDefaultCredentials = true
MailObj.Send(myMessage)
Me.MyForm.ActiveViewIndex = 1
Catch
Me.MyForm.ActiveViewIndex = 2
End Try
End Sub
</script>
</div>

Control Your Destiny

Seriously? Again? So how long were sales people not able to use the system and e-mail was down and people thought you went out of business because the website wasn’t there either?

It’s a common story. You wouldn’t thoughtlessly give a relative stranger your power of attorney or access to your bank account. However, most business owners (large and small) regularly and naively give up full control to their reputation, communications, and business continuity. How?

They let random web guys control their external DNS (Domain Name System). Before your eyes glaze over and you move on – PAY ATTENTION. Just like the myriad other acronyms you’ve learned to manage a business, this one is a definite must know.

DNS is simply the service that converts an IP address on a network or the Internet to a computer name like SHERYL-PC or a domain name like www.matrixforce.com. If the local DNS service on a network is not working, you can’t browse the Internet or send or receive e-mail. If your external DNS is not working, no one can access your network, send/receive e-mail, or find your web site. Before you smugly think “I’ve got people who handle this for me”, think again.

Do a whois search by entering your domain name like matrixforce.com (without the www) and see what is displayed by clicking this link: Network Solutions Whois. For the majority of you, the address or phone number will be wrong and some unknown vendor or past employee will be listed as contacts. Also, the renewal date is likely a shock and no where on your calendar reminders. If this is you, then that vendor owns you or if it’s a past employee you have to now go through a lengthy process to prove ownership. Oh and if the DNS addresses listed at the bottom aren’t related to the Registrar then you have another problem of a third-party in the mix. Which leads to the next question of where are you registered and what is the user name and password to change the information?

For best practices you should:

  1. Have your domain at a Registrar that offers not only domain creation and renewal services, but a DNS Manager and web hosting. My preference is Network Solutions (no compensation based upon this recommendation), but there is Register, Godaddy and several others. These services are long-established, stable, and reasonably priced.
  2. Your registrar account should be something generic, like your business name. The Registrar URL for login, user name, and password should be kept where you can access it for maintenance and during disasters independent of a vendor, IT support, or other employee. Ideally, you should have separate contact information for the administrative and technical contacts. The e-mail address should be something generic like billing@abc.com that is associated with a distribution group or someone’s actual mailbox. That way contact isn’t lost when people change roles and multiple staff can receive notices of things like pending domain name renewal to prevent website and e-mail disruption. If you want to have a technical contact for IT or a vendor, the same rule should apply using something like support@xyz.com.
  3. DO NOT allow a random web guy or even an established web design company access to your Registrar account. There is a mandatory 60 day waiting period if your domain registration is moved, before you can move it back. Escaping from being captured from some no-name Registrar or web guy can be trying, because at any point they have the power to stop a transfer back. AND they don’t want you to move back to someone reputable because they lose control and annual domain registration commission. Guess what? You have no e-mail or website while the transfer takes place and likely for DAYS afterwards as most web designers know little about the process and don’t add any DNS settings for remote access, e-mail, or even the website.
  4. DO NOT allow a random web guy or established web company to change your external DNS. To update a website, all a web designer needs is a FTP user account and password (separate from your Registrar user name and password). They desperately want to move you to a hosting they resell, so they are motivated to not only change your web hosting but move DNS to them too. Now you’re at a questionable web host for long-term viability or high uptime and more importantly totally dependent upon contacting the web design company, hoping they make any necessary changes for you. Can you say OWNED? Try getting ahold of Johnny-Bag-Of-Donuts during normal times, much less during that e-mail migration on the weekend or blizzard natural disaster. And yes, unless they are expert about the process and got a copy of your DNS records ahead of time to emulate at the new host, you go without e-mail or a website again.

So now the staff is trying to get a $200M manufacturing company to have e-mail again, because the owner’s niece had a college buddy that does websites and moved the registration. They’ve gone 2 days without sales people able to access the system, no one has had e-mail, and the website is down. The customer was able to contact Rupert, but the DNS Manager at Wheely-Wacky-Wild Domains has been down and as a third-tier registrar does actually take 24 hours for updates to happen, rather than the average 15 minutes of the big boys. After all this bungling, the customer can’t be found in Google and the site is not even in HTML5 – but that’s another story.

Dead Zero

Here are two contrasting stories of network security for National Security Month. What follows, does not depict real events or persons.  In the business world, corporate data is protected by two separate, yet equally important groups:  the Information Technology staff, who maintain systems, and management that control budget and strategy. These are their stories:

Scenario 1

“Zeus, this is Striker”, the hacker said, like this was some cool military mission. “You were right about that IP address from the port scan and this should be easy”. The java injection for the just above consumer-grade Sonicwall got the hashed password. Let’s RDC to the mail server using the internal IP specified by the SMTP rule. Yep, same password for the domain administrator account. Score and owned!

Now add an account to the firewall with a special rule and port for backdoor access just in case – it’s takes four steps and as many places to find so it’s not likely to be discovered. Hide another admin account in AD and bury the hacking utilities some three folders down in Windows.

Time for the good stuff – make sure there is full access to all mailboxes and as usual administrator has full permission to all files. Find the HR, Accounting, and Management folders and copy anything that looks promising. Whoops, there’s that password spreadsheet. [Grin] Bingo, in the accounting system and that account number list will help quite nicely.

That should be some good commission. Charlie, I mean Whiplash,  has the employee list to get a decent return on stolen identities. Crackers can do the bank transactions and order spurious stuff from suppliers using the accounting data. And finally, Ohura can use Outlook Anywhere and copy or monitor anyone’s mailbox using the website or LinkedIn to target the big-wigs first.

Scenario 2

“Zeus, this is Striker”, the hacker said like this was some cool military mission. “Why are we looking at this one again?”

The firewall was enterprise server grade. Worse the MX record showed that e-mail was hosted at Microsoft. Further, there was a CNAME for SharePoint that likely housed all the critical data, that was also at Microsoft. Ohura was dating a salesman there who was brain-dead and had no scruples about giving away company secrets, but his account only had access to his mailbox and some public sales literature.  Even if it was the IT guy, his account wouldn’t have access to all the SharePoint data and mailboxes in the cloud.

I could spend a couple of nights hammering on this firewall, but what is there to go after? For sure, I don’t want to start going after Microsoft and have SWAT busting down the door the next day. “Zeus, let’s go after something with a pay day.”

Practical Network Security

October is National Security Month and while not a sexy topic, network security does include ample intrigue, betrayal, and high emotion. Unfortunately, no one cares about security UNTIL something happens, but savvy business people know they can’t fall asleep at the wheel or risk heavy damages and loss.  Network security is two-thirds business approach and process and one-third technical. You start with what is acceptable for business risk and then weigh against prevention and tracking.

Most security risks come from employees, either inadvertent or malicious (and not external hackers). While an organization should have employee agreements and an employment manual, the easiest and most common thing overlooked is a logon banner. For no cost, this legal notice may be displayed at each logon and accepted by pressing Enter or clicking OK. The legal notice should state simply that computer use is for the business of the organization, may be reviewed at any time by the organization, inappropriate use may have administrative, civil, and criminal consequences, and to log off if the user does not agree. Without this regular affirmation, all the money spent on attorneys and HR consulting can easily be nullified by the employee by claiming ignorance and simply stating nothing else was ever said again about organization policy after hiring.

Similarly, most organizations practice limited prevention or tracking and often don’t know when to employ each. Utilizing web filtering to block all non-business related activity (yes you can have different rules for lunch or after hours) enforces policy with minimal management. The days of trying to run a report of Internet activity is nearly impossible due to the variety of applications that are always Internet connected. Further, meaningless reports that no one has the time to review are a waste of time and worst demonstrates indifference.

Among other benefits of cloud computing, many organizations are reaping the rewards of document access tracked by user and date/time and any e-mails are journaled for record keeping purposes, regardless of what an employee deletes from their mailbox. Versus expensive on-premise systems and storage, organizations can now not only add productivity while enjoying lower technology costs, but have proof information access and transmittal for regulation, compliance, or legal matters.