Category: security

The Old Gray Mare Ain’t What She Used to Be

The Old Gray Mare Ain’t What She Used to Be

This might seem like a blog about horses or livestock but we will be talking about technology, and how to breathe new life in to your old computers.

In 1946 they designed the ENIAC to be the end all be all in technology.  Twenty minutes of Computer time would replace over 240 man hours where calculations were concerned.  The economic model fell apart with the amount of man hours needed to maintain the computer, not to mention the parts, ‘tubes’ and the energy needed to power it.  

Today in this modern era of technology we have something known as Hardware Asset Management.  If your CIO gives you a blank stare if you talk with him or her about it, consider hiring a new one.

CFO’s hate surprises. Without asset management one quickly learns there are no good surprises in business.

The modern day desktop has a life cycle of five years and the laptop, three.  What if there was a way to extend that life cycle for a minimum investment?

They rate components in computers in something known as MTBF or Mean Time between Failures.  Notice that does not ‘if it fails, but when.’

Looking at the different components within a computer, one of the most fragile and arguable important is the hard drive.  Next would be the power supply, and any moving parts, which would be the fans, drives and cd-rom.

How do we mitigate this to an acceptable level of risk, and push the envelope out one to two or more years?

Normal physical maintenance should be at the top of every ‘engineers’ duties.
·         Visiting with the users looking for clues about what they are dealing with.
·         Visual inspections of how the machines are installed and cared for.
·         Regular dusting of the CPU and other fans looking or listening for bearings, etc.
·         Frayed cables or broken tabs on network cables.
·         Non-authorized software.

Managers of those individuals should be mindful of updates, security and so on.  License compliance is part of Software Asset management and not in the scope of this document.

Now what about extending the life cycle of a computer?

The secret is SSD drives.  As developers constantly up the requirements for applications to perform, we cast aside perfectly viable computers for newer hardware.

What if? 

What if we could solve some of those issues with a simple upgrade? SSD Drives are under $100 for a Terabyte drive.  A disk duplicator cost around $40 or certainly less than one hundred dollars.

Taking out the hard drive, placing it in the source compartment of the duplicator and the new SSD drive in the target; in 4 hours’ time you have a solid state drive that is no longer subject to accidental jars such as in laptops.  More importantly than this, is the speed issue.  You also have a perfect clone of the original meaning, you have a backup should something happen.

SSD drives are much faster than regular hard drives and there are no moving parts.

The laptop I am writing this on, was a retired HP with an I 3 processor and 6 gig of ram.  One $100 drive later this laptop performs like a new one.  Yes, the Office applications are still 2010 but, I have Windows 10 and it runs just fine.
Boot up time went from over three minutes, to under thirty seconds.

Application loading time is incredible and if Windows needs to swap, it is swapping to memory and not a slow hard drive.

Bottom line, I have a perfectly good laptop pulled from the retirement pile, for $100 and four hours of my time.

Since the copy process is automatic, you put the two drives into the machine, hit copy and go do something else until it is finished.  Actual human hours involved were less than 20 minutes.
The old Gray Mare now is running like a colt, and I can save the money I would spend on a laptop and new software for something else.

For an individual this is an easy decision to make.  Multiply this by ten or a thousand employees.  Could your P&L use the extra boost?

Like always, I am a consultant and would be happy to visit with you about how you are doing business, and if there are ways to improve upon them.

Bio:
I was working with computers before Bill Gates was a household name, and Steve Jobs was still a criminal working out of his garage, designing and building ways to scam the phone company.  I met him while supporting Next Step Computers during one of my jobs years ago.
From before ‘Al Gore’ invented the internet, to performing disaster recovery strategies for large and small companies, I stay active. Reach out to me on Linked In, or through this blog.
-Best

 

Ready, Fire …Aim

Ready, Fire …Aim

After the recent storms, one might have guessed that my phone has been busy.  Firstly let me say that Disaster Recovery by its very title is a bit of a misnomer.  While I have some abilities to recover lost data using some forensic skills developed over decades of twiddling bits, that is not really disaster recovery.

Disaster Recovery and business continuity are about planning for an event which may or may not happen.  The “plan” assumes that your business systems will be affected negatively and puts forth a tested strategy to recover from the said event.

With the recent devastation by hurricanes and earthquakes, one would think that those businesses not affected would be learning from those that were.  If you search my blogs on this site, you will see that I have laid out

Do not ask him or her, are we covered just in case, ask them specific questions laid out in this blog here.

Yes is not a satisfactory answer, demand the details and the proof.  I don’t care how much of a friend he or she is, demand the evidence.  The devil is in the details, and the last thing you want is a bunch of excuses.

I am learning from phone calls that too many have been assured that they are covered, and that is very possibly why today they are looking for ways to recover data from destroyed equipment.

Disaster recovery is not some dark magic spell cast under the voodoo magic of bits and bytes in the wiring closet or back part of the computer room.  The bottom line is to test it, whatever your people come up with, check it.  Keep checking it until you can recover your business with outside contractors and hardware with data and documents prepared by your staff.  There is to be no input from you or your staff during the test.  The hurricane, earthquake, fire, attack from zombies or employee error took you and them away from the scene. The plan provided must work!

This is why we who do this insist that companies use “best practice” standards in the industry when creating your individual networks and systems.

One such company has a senior IT staff littered with programmers.  These people think they know more than Microsoft.  Using kludges from Unix, Linux and other programming wizardry to subvert some of the basic tenants of networking, they have made their network so unique that it will depend on them to be there to recover.

If it is not broken, don’t fix it!

Writing programs that workaround things like DNS is just crazy stuff and now it is dependent on the network never changing, at all.

If your data is successfully mirrored offsite, an excellent team of engineers might get you going in weeks, not days if you have failed to follow best practices.  While your data might eventually be usable, you and your company will be on the sidelines as most businesses do not recover from such a catastrophe.

Folks I have been at this since 1982, I have learned a thing or two in those years.  Ask your team the questions or be prepared for unpleasant surprises should you ever face a business stopping event.

Got to go and explain once again what disaster recovery is and is not.

-Best

The latest method of attack. #DisasterRecovery

The latest method of attack. #DisasterRecovery

 

As a matter of course, I try not to post too much about computer security, as I am certain that most have seen this before.

We know not to open attachments that are not expected as well as have good anti-virus software updated and running at all times.

This morning I received a different type of threat that I thought worth sharing, so here it is.

With the usual jargon about some sort of violation or someone suing me for something, open the attachment to see what it is, this was different.

The words included were, “for your security we use dropbox for the evidence against you. Please follow the link and respond within 3 days or a summary judgement will be made.”

Of course, the return e-mail address is bogus; the trick is to get me to open an attachment in this case on dropbox.  Once downloaded there is no telling what it would do but, most certainly nothing good.

No law enforcement or government agency would work in this way even if you were expecting something from someone in this manner; it would not come in from e-mail.

Unless you are expecting it and the e-mail address is correct only then would I make a call before opening anything as an attachment.

Ransomware is working with hospitals and even government agencies paying the perpetrators, which causes them to continue with more fervor.

 

ransomware.jpg
You do not want to see this so, practice safe computing.

 

Practice safe computing which includes a good disaster recovery plan.

 

-Best

(c) All Rights Reserved 2016

 

HIPAA and other things that go bump in the night…

HIPAA and other things that go bump in the night…

hipaa-compliant.png

(HIPAA) Health Insurance Portability and Accountability Act

Being and IT guy for the last 35 years, I am no stranger to HIPAA, SOX, FISMA, and many other regulations from the government, including the federal mandates as to how this is to be accomplished.

While HIPAA is designed to protect your privacy, I wonder if that is how it is actually being used.

From a DR (disaster recovery) standpoint, your data must be backed up and off site. Your data must be recoverable; meaning that you have successfully tested the process on a regular basis.

cloud-technology.jpg

The easiest way to do this is with CLOUD technology but, I am here to tell you that the hackers attack the cloud… If you’re data, and my data, and your competitors, is in some nebulous storage arrays out there in some data center…that is a central target for the bad guy…

You must have written policies and procedures regarding same… This would be part of your DR plan, run book; or even your living document that is your DR plan.

SOX-Sarbanes-Oxley.jpg

SOX or Sarbanes Oxley is another set of rules that apply to all publicly traded companies that share many of the same tenants of a good DR plan.  E-mails must be stored and retrievable in the event the government wants to see them.  Stored off-site and recoverable…

506408.PNG

The government, for the government’s own use, has stricter policies and procedures which I wrote about some time back when the Hillary e-mail fiasco came to light…  That is why this whole e-mail scandal is laughable as there is no possible way that those e-mails should have been lost, just like there is no way that she should have had a server of her own, dealing with Top Secret Classified e-mails.  Why she is already not wearing orange, and living in Club Cupcake Penitentiary, is a testament to the corrupt policies and procedures that our wonderful government seems to enjoy for the rich and famous or in this case the political elites.

Calling and talking with any of the folks at your insurance carrier, you are told that your call may be recorded and monitored for security and training purposes…  Now please tell me how this does not violate HIPAA?

 

When visiting your doctors you had to sign a release, basically nullifying HIPAA so they, the office staff or doctors can talk about your case, health or anything that is needed to whomever that they have to deal with to get paid.  Again, how is this not a violation of HIPAA?  Working behind the scenes at these places I have heard many cases talked about from end stage renal disease, to genital warts complete with names. I was once working in a plastic surgeons office where his desk was littered with open pictures of nude women with before and after breast augmentation etc etc.   This stuff should have been put up before I was ever allowed into his office.

surveillance.jpg

The simple facts are, that we are living in an age of no-privacy; either expressed or implied.  The idea of HIPAA is great but, like the thousands of pages of tax code, it is virtually meaningless after the lawyers get through with it.  It’s like living in Chicago with all sorts of police vehicles, and one cop who lives at the donut shop.  There is the illusion of security, but it simply does not exists.

The airport is another place where you have no privacy but, still the TSA misses about 95% of the threats that their agents try to smuggle through, while testing their efficiency. 

New-Republic-TSA-naked-scanner-cover.jpg

While we parade through scanners that strip us naked, and expose us to ionizing radiation, they still miss 95%…! How the hell is that possible?!

3-Waiting-Room.jpg

While in the waiting room the other day I could hear the office staff talking about patients and their treatment options… That was not bad enough… One of the ladies at the reception desk was calling patients who owed them money between greeting people, taking credit card info… Yep, she read back the guy’s number complete, the billing zip code and expiration where everyone could hear it.  I take credit cards and I thought to myself… you did not get the CVV code… A few minutes later she called him back to get that…. And repeated it to where anyone in the waiting room could have heard.

download (10).jpg

While I have since written a letter to my Doctor…it does not end here…

0043.jpg

This same doctor prescribed some meds that I went to CVS to pick up…  While in line, the cashier, after getting your name and date of birth, grabs the meds off the shelf, and tells you what they are so everyone in line and the immediate area can hear.

Name and DOB are nobody’s business and certainly what you are buying is nobody’s business…

While I may be over sensitive to this, I don’t really think so…

Either we have HIPAA or we don’t.  Either we follow the rules and policies set forth…or we don’t.

The illusions of security is not enough.  The illusion of privacy is not enough.  Collecting everyone’s Meta data without warrant, is wrong on many levels.

We need to look at and re-vamp all of these policies as we have given up so much of our privacy for the sake of laziness on the part of the employees.

Instead of me telling the lady behind the counter she should ask me to see my ID verifying who I am and my DOB without saying it aloud.  After she pulls my meds she can show me what they are without voicing them… Simple policy changes prevent unauthorized or in this case nosey people in line getting into your business.

There are simple answers for all of these things but one simply has to think… We are too damned lazy to think…

-Best

© Copyright 2015 All Rights Reserved

 

RATS and Right to Privacy

RATS and Right to Privacy

rat

While some may find them cute and cuddly, and some, absolutely disgusting; this rat that I am speaking of is neither.

The rat that I want to educate about is really an acronym for Remote Access Trojan.

25ea188

Just about everything electronic today has a built in camera.  Not to mention a microphone.

webcam

Some smart TV’s actually have them built in to allow you to voice command the TV.

Smart-Tv-With-Built-In-Camera-1

Your car may very well have something like this built in.

Ford-SYNC-1024x640

I have long held that our government could if they wanted, under some obscure interpretation of the Patriot Act, access your camera and or microphone to peek into your home.  I have also thought that this could be done with the microphone and camera on most laptops and of course desktops that have them.

drones_hacking_phones-4

Not only is there news of the Feds hacking your cell phones and either listening in or downloading your contact list and other information through something called String Ray but there are theories that your local police may be doing this as well without a warrant!  (1)

sting ray

It is not enough that we may have our government spying on us without warrant but, we have Trojans that copy your keystrokes and send them to some server in Russia, or some other obscure third world country looking for passwords and banking information now we have RATS.

Today we know that perverted individuals out there have in fact used the cameras in laptops handed out by the school to indeed spy on kids in their bedrooms.  While this made the news, little attention was really paid to this, as conspiracy nuts are everywhere.

SCHOOL-SPYING

(2) The Case in question

We now know that the Chinese among others have created Trojans that allow them remote access to your camera and or microphone in your laptop!  Simply click on the wrong thing and the writer of the software has access to your machine.

One couple received a picture of themselves lying in bed watching a movie on Netflix.  This came to them from someone using a made up name, via their Facebook page.

couple-of-netflix

(3) Naked Security Story

You really have to be smart when you are cruising the internet and checking e-mail as the crooks and other creeps are smarter.  I have often said that these folks are probably kids sitting around in their mother’s basement in their underwear, writing Trojans, seeing who can outdo the other via groups like Anonymous.

anonymous-psn-hacker

I would like to see devices like phones have an actual on off switch or removable customer replaceable battery.  If you want to make certain that the thing is off, remove the power.  Apple has made this task about impossible for the everyday user and that is problematic.  Placing the device in airplane mode might be your closest bet to protecting your privacy but I would bet that there is a work around for that.

ga2wpmclsbjtjqufjed7

I would also like to see on off switches on cameras and microphones that absolutely can be switched off until required.

Screen-Shot-2012-03-26-at-5.26.26-PM

The simple truth is we have no idea what these phones are doing in the background and with viruses and Trojans, we have no idea when some remote access Trojan will activate or be activated by some creep in some basement somewhere.

Someone write an app that tells you what the phone is dong or has done.  

When you sit back and think that I am a crazy conspiracy nut, I would remind you of the porn scanners that are still in use at some airports today. 

full-body-scanner-image
Yes, if you invert the negative with any cheap software you get a positive…

Who in their right mind would think that it is ok to use ionizing radiation to undress the public by the tens of thousands for the purpose of what, looking for weapons?  We are so politically correct that we can’t profile but we can strip search the public, grope grandma and feel up children!  Political Correctness is a way to control the masses and not something that we should be doing as a people.  We have free speech, and other than yelling fire in a theater or threatening to kill someone, I would not surrender the first amendment for anything!

child-security

Did you read about the whistle blower who worked for the TSA and admitted that it was a big joke to watch people stripped of their clothing and then make remarks and jokes about what they saw? (4) (5)

tsa-choices1

If I could have any job in the world, currently it would be to be in some position of authority at the TSA! I would love to clean that bunch of people up and while I am at it, assist them with security as currently they are loath to do much right, of course it is the government so …. What do you expect?!  They need folks who think outside the box and currently they have a bunch of automatons.

radiation_spectrum non-ionising-radiation-3-638 microwave-oven-32-638 Radiation_-_Radiatii_ionizante_si_radiatii_neionizante

The news media commonly carried stories about the TSA scanner as equivalent to being at altitude for a couple of hours.  The lying bastards however did not tell the truth.  While pilots do suffer more cases of skin cancers than non-pilots as cosmic radiation is more intense at altitude, it is not the same as ionizing radiation.  

To further exacerbate the privacy issue you are undoubtedly aware that cameras are everywhere.  You must assume that wherever you are, or whatever you are doing, there may be a camera watching you. Every red light contains cameras that I maintain can and do look at people in cars collecting bio metric data, looking for who is doing what when.  These are not the low end cameras that you can buy on-line, these are high end cameras that have good quality optics.

traffic_camera9da284e64d164925bb9caa8a0868c89a

How about some of these cameras:

st-sony640-dvr
There is a wifi enabled camera in there. Have you seen these in your hotel room perhaps?

video-recorder-sunglasses-gadget-spy-camera-dvr smiley-spy-camera Spy-Camera_watch 140875,xcitefun-calculator-spy-camera2-450x357 spy-cameras-250x250

These are just a scant few.  These things are tiny and easily concealed. Assume that you have no privacy.  If you scratch it in public, chances are someone saw you.

DAKS - IDIS DirectIP surveillance images

Orwell was ahead of his time, and you my friends need to be aware of this, and act accordingly.

george-orwell-quotes-sayings-lies-truth-famous

(1) http://thehackernews.com/2015/04/police-spying-cell-phones.html

(2) https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School_District

(3) https://nakedsecurity.sophos.com/2015/08/14/webcam-spy-sends-couple-photos-of-previous-nights-netflix-snuggle-session/

(4) http://mountainrepublic.net/2012/12/24/ex-tsa-screener-officers-laughing-at-your-naked-image/

(5) https://takingsenseaway.wordpress.com/2012/12/19/letter-from-a-passenger-what-really-happens-in-the-tsa-private-room/

-Best

© All Rights Reserved 2015