Monday, May 02, 2005 - Posts

Sometimes just a reboot at the right time is what you need

So I'm installing another server at home [rebuilding the blue glowing baby server that went to smbnation and back and I had installed 'Standard' this weekend and was kicking it up to Premium tonight to get ready to move over to this one from the poor beta-ed, WSUS'd, overgrown desktop “server' that I have here at home and I had checked to make sure the cdroms I had with the standard were post Sharepoint cdroms and the Companyweb worked with Standard.  When I upgraded to Premium I upgraded to Sharepoint and when to launch Companyweb and got

Cannot connect to the configuration database.
 
Huh?  It worked before?  So I googled and found a KB but then went.... uh... you know... I don't think I did a reboot after I installed that SQL now did I?
 
One sheepish grin later... I now have a fully functional Companyweb with a search box.
 
Yeah... don't forget a good reboot every now and then does the trick.
posted Monday, May 02, 2005 11:01 PM by bradley with 1 Comments

Law # 3, if I have it, it's MINE

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Oh, the things a bad guy can do if he can lay his hands on your computer! Here's a sampling, going from Stone Age to Space Age:

He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.

He could unplug the computer, haul it out of your building, and hold it for ransom.

He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).

He could remove the hard drive from your computer, install it into his computer, and read it.

He could make a duplicate of your hard drive and take it back his lair. Once there, he'd have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it's almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply.

He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.

Always make sure that a computer is physically protected in a way that's consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures.

If you travel with a laptop, it's absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows® 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn't been tampered with is to keep the laptop on your person at all times while traveling.

I'm definitely one sick puppy, because hands down this is my favorite law of security.  Why?  Because it's amazing that this law number three still shocks people even today.  Just a few weeks ago in fact a consultant had a 'falling out' with a client and had held off on handing over the administrator password and was planning to do a 'payment in full' for 'password' swap.  Well he also had a monitoring service on that box and all of a sudden got paged that something had been loaded to the machine, it had been rebooted, and suddenly he didn't have Administrator access to the box anymore.  He came into the newsgroup asking if there was something about SBS that make it more vulnerable to this kind of attack. 

Hardly dude, any computer is vulnerable to law #3.

It's called, if I have access to that server or computer, it's MINE totally MINE, and there's nothing that you as the remote administrator can do about it.  This is a foundational law of security that physical security trumps everything. 

Take for example the other day when I totally forgot the admin password for my Tablet PC.  No worries, boot using the reset password cdrom and voila... I reset the admin password with no issues whatsoever.  For servers, this is a bit trickier as you can't just use that Linux based boot disk, but there are other utilities out there that can do the job as well. 

Look as well at that story about the backup tapes containing data on 600,000 Time Warner employees has been lost.  Now I would argue that the tape backup software should have natively supported encryption, but nonetheless they've now got a mess on their hands because they lost physicall access to that tape media and someone else possibly has it.

Bottom line.... as I said earlier, there is no computer in the world that is immune from Law #3.

posted Monday, May 02, 2005 7:41 PM by bradley with 4 Comments

The business of trust

I was at a client's today and ...well.. let's just say that one Quickbooks password cracking later, one quick crash course in bookkeeping later and they are a bit up and running, more so than they were at 9:00 a.m. this morning when they couldn't get into the bookkeeping program.

It reminded me of the conversations going on in the SBS community about growing out the business to allow someone you don't know to handle your financial 'stuff'.  What typically happens in small businesses is that the business owner, a relative or someone they trust does the bill paying, bookkeeping and reconcilation.  But here's the problem.  In the proper system you should have separation of duties.  In a typical small business... you don't.  None at all.  So what are some issues small  business owners should be concerned about when they let someone else do the bookkeeping?

If you answer “yes” to any of these, you may have issues in segregation of duties:

  1. Is the person who handles your cash also responsible for recording the cash?
  2. Does the person who pays or orders inventory also receive the materials?
  3. Are two or fewer people responsible for the accounting function?
  4. Is only one person responsible for reviewing financial statements each month?
  5. Is your review of financial journals sporadic?

If you answer “no” to any of these, you may have issues with Bank Reconciliation:

  1. Do you review canceled checks and endorsements on a monthly basis?
  2. Do you compare payroll checks with your current employee records?
  3. Do you question funds transferred between bank accounts?
  4. Do you track the number of credit card bills you sign per month?
  5. Are bank reconciliations performed on a timely basis?
  6. Is someone responsible for reviewing the reconciliations each month?
  7. Do you verify reconciled items?

If you answer “yes” to any of these, you may have issues with documentation:

  1. Do you ever sign blank checks?
  2. Do you ever sign checks without original supporting documentation?
  3. Do you ever sign checks without canceling supporting documentation?
  4. Have funds ever been transferred between accounts without review or verification?
  5. Do you ever sign checks for new business vendors without knowing or verifying their name and association with your company?

If you answer “yes” to any of these you may have issues with employees:

  1. Are any of your employees extremely possessive of their work records and reluctant to share their tasks?
  2. Are any of your employees apprehensive about vacations and time off, while always being the first in the office and the last out?
  3. Have you noticed a substantial change of lifestyle in any of your employees?
  4. Do any of your employees have a possible substance abuse problem?
  5. Are any of your employees living beyond their means?
  6. Have you ever hired an employee before checking references?
  7. Do you permit your accounting personnel to work longer than a year without taking a vacation?
  8. Do you have any accounting staff or key personnel who have not been secured with a fidelity bond?

If you answer “no” to any of these you may have a problem with assets:

  1. Are blank check stocks and signature stamps safely secured?
  2. Do you restrictively endorse all checks when received?
  3. Do you deposit cash and checks daily?
  4. Do you maintain a list of office furniture, equipment, and company vehicles?

Oh, and did you notice I said I easily used a password cracking program to get into that Quickbooks?  The password protection provided by the program is easily overcome within mere seconds of using Elcomsoft or any other number of password cracking programs.  If Elcomsoft's program can't crack it because the password is too long, it merely asks you if it's okay to 'remove it' instead.

While this certainly a case of the Computer Security Law # 3 [coming up in the next blog post], you should still be aware that it is EXTREMELY trivial to open up a password protected Quickbooks file.

posted Monday, May 02, 2005 7:14 PM by bradley with 0 Comments

Another patch for the patch

So I'm installing the Insight Manager update tonight and I go back in to check the hardware and rats.... the page doesn't resolve up and says I need a new System Management home page.  Well off I go to HP and find there is a new update as of April 25, 2005 for the HP System Management Homepage for Windows, version 2.0.2.106.  And as I'm installing this, since I only manage the one HP server [the other one is not an HP machine] I could set up the logging in for that monitoring in a certain way, but it was pretty obvious that you could use this to manage many different machines.

But now all it well, it's monitoring the processor and nics all again as it was.  Just another patch for another patch in the day of patching.

posted Monday, May 02, 2005 6:59 PM by bradley with 0 Comments