East of Eden

The latest in Windows 10, end user devices and services, cyber security, data center & cloud, and all things IT.

Andy Sherman

Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.

Blog Feature

Cyber Security

Shellshock (Bash Vulnerability) FAQ

By: Andy Sherman
October 1st, 2014

What is the vulnerability? There was a vulnerability announcement on September 24, 2014 of a bug (CVE-2014-6271) in the Bourne-again shell, bash, that is the default command line interpreter in most Linux and many Unix distributions, including variants that form the basis of many embedded devices and appliances. The bug allows for remote code injection that can cause arbitrary commands to be run on the attacked system. There are several avenues for making this happen, but the single most potent one is by attacking web servers that can run CGI commands.

Read More

Share

Blog Feature

Collaboration

How The Fed Saved The Economy After 9/11

By: Andy Sherman
September 24th, 2014

The Daily Kos has a remarkable piece by Arliss Bunny (hat tip to Bruce Shneier for spotting this) describing the actions of the Fed on 9/11. The piece was researched by going through the annual reports of all 12 Federal Reserve Banks, and led the author to the conclusion that "on 9-11 and the days which immediately followed, a relatively small number of people did some genuinely, physically heroic things in order to keep the economy from going off the rails..." When the planes hit the towers it was a busy day and all but one Washington based member of the Fed Board of Governors were elsewhere. Chairman Alan Greenspan was flying home from Switzerland at the time, and would not know what happened until his plane had returned to Zürich. It fell to the one senior person in DC, Federal Reserve Vice Chairman Roger W. Ferguson, Jr., to coordinate the Fed's response. In some ways Ferguson was the ideal choice, since he led the Fed's Y2K planning and response. That turned out to be a meticulously planned effort which did a good job of expecting the unexpected in ways that served them well.

Read More

Share

Planning for Windows 10 Starts Now

Planning for Windows 10 Starts Now

Develop a transition strategy for a successful Windows 10 upgrade, and make this migration your best.

Blog Feature

Cyber Security

Backoff POS Malware Affects Over 1000 Businesses

By: Andy Sherman
August 27th, 2014

Malware attacks against Point of Sale (POS) terminals came into the collective consciousness with a big splash with the Target breach late last year, and the recent disclosure of data breaches at 51 UPS franchise stores and a major data breach at major chains owned (or recently owned) by SuperValue including SuperValue, Cub Foods, Albertsons, Acme Markets, Jewel-Osco, Shaw's and Star Markets. Last week the U.S. Secret Service warned that over 1000 US business were affected by Backoff, an up-and-coming piece of POS malware. Backoff's method of operation is not new, but is very well executed. Like other POS malware, it installs a memory scraper onto the terminal to capture credit card track data as well as a keystroke logger, establishes communications with a command and control server, and exfiltrates both payment card and keystroke data. The crime syndicates using Backoff have become highly skilled at compromising systems through remote access software in order to establish a "jump server" from which to find and infect POS terminals.

Read More

Share

Blog Feature

End User Devices and Services | Cyber Security

Your Smartphone Is Your Token: A Cautionary Tale

By: Andy Sherman
August 22nd, 2014

I'm a big fan of using mobile phones, especially smart phones, as security tokens. If the user locks the phone with a passcode, then it's a pretty good bet that your token is in the right hands. And, unlike little hardware tokens, nobody leaves home without their phone anymore. In addition to applications that might send me a token by SMS, I have three token apps on my smartphone: Symantec VIP which I use for Ebay, PayPal, Symantec MSS, remote login to one of my clients, and some others. Google Authenticator for various Google accounts and for WordPress. Duo Security which I use for my own SSH logins. This was cool until I went into a swimming pool with my iPhone in my bathing suit pocket.

Read More

Share

Blog Feature

Cyber Security

A Pair of Interesting Posts On SMBlog

By: Andy Sherman
July 25th, 2014

An appreciation My old friend and former colleague Steve Bellovin has an interesting blog at Columbia, where he's a professor of computer science. Steve is one of those guys who has just done stuff for his whole career. As a graduate student he helped invent Usenet, which I credit as being the first computer social network. His time at Bell Labs (which is where our paths first crossed) produced a lot of different things, possibly most famously his work with Bill Cheswick on internet firewalls and security. For his last sabbatical from Columbia, he was the Chief Technologist of the Federal Trade Commission for a year. Steve's blog is not notable for it's volume, it's notable for its gems -- thoughtful and thought provoking pieces on a wide variety of topics. There's currently a pair of posts worth reading.

Read More

Share

Blog Feature

Cyber Security

NIST Panel Finds That NSA Influence Over NIST Weakened Crypto Standards

By: Andy Sherman
July 18th, 2014

There's an interesting article in Computerworld about the report of a blue-ribbon panel of the NIST looking into allegations in the Snowden documents that a key cryptography standard was weakened by the inclusion, at the NSA's behest, of a weak pseudo-random number generator.

Read More

Share

Blog Feature

End User Devices and Services

What Is Your Smart Phone Saying About You?

By: Andy Sherman
July 6th, 2014

Short answer: much more than you think. Recently I heard a fascinating Planet Money podcast on a project called Project Eavesdrop (podcast here) which NPR's Steve Henn conducted jointly with Ars Technica's Sean Gallagher and Dave Porcello, CTO of Pwnie Express, who make penetration testing tools. The point of the project was to determine what you could find out about a person's internet activities by passive monitoring of their Internet traffic. They monitored Henn's smartphone when it was connected to the WiFi in his home as an analogue to a signals intelligence service's (e.g., NSA or GCHQ) monitoring of the internet backbone. The results were astounding. Henn invited Gallagher to install one of Pwnie's devices in his home office so that Porcello could snoop away at his phone's online footprint when connected to the WiFi hotspot. To be clear, the Pwnie device's WiFi was secured with WPA, so this was not an over-the-air snooping test. This was a simulation of what was being disclosed over the backbone.

Read More

Share

Blog Feature

Cyber Security

Podcast Recommendation - TED Radio Hour

By: Andy Sherman
June 27th, 2014

It takes me a fair amount of time to get to some of the client sites I work at, so I'm always looking for interesting podcasts, which are especially useful in areas where audio streams cut in and out. Based on a teaser at the end of NPR's Planet Money podcast, I tried the NPR TED Radio hour (podcast information here), and now I'm hooked.

Read More

Share

Blog Feature

Cyber Security

Embedded Vulnerabilities

By: Andy Sherman
June 10th, 2014

I was working with a client implementing a vulnerability scanning program. We were analyzing some results when I noticed a few systems vulnerable to Heartbleed. This was a surprise, since it is a Windows shop, although the scan showed a lot of Tomcat around (presumably vendor systems) OpenSSL is not used by Java either. We ran it down and it turned out to be the server management GUI for a couple of machines. This reminded me that there was a fair amount of embedded code, management GUIs for servers, router firmware, etc., that could be vulnerable. What to do? My friend Steve Bellovin would say the most important thing is "Don't Panic." I concur. Also, don't aggressively scan for it if you have older servers on your network. HP's note on Heartbleed and embedded code notes: IMPORTANT: Reports have been received that scanners used to identify the Heartbleed vulnerability cause first-generation Integrated Lights-Out (iLO) and Integrated Lights-Out 2 (iLO 2) to lockup and become unresponsive. Although the server's operating system will continue to function normally, first-generation iLO and iLO 2 will no longer be responsive over the management network. To recover, power must be PHYSICALLY removed from the server. HP recommends not using vulnerability scanners to test first-generation iLO and iLO 2 devices, as these products are not vulnerable to the Heartbleed vulnerability.

Read More

Share

Blog Feature

Cyber Security

Seven Month Old IE8 Zero Day Disclosed (And It Won't Be Patched)

By: Andy Sherman
May 23rd, 2014

In October, HP Tipping Point's Zero Day Initiative notified Microsoft of a use-after-free vulnerability in Internet Explorer 8 that could potentially allow remote code execution by an attacker. According to ZDI, Microsoft confirmed that the reproduced the bug in February, but took no action. ZDI's policy is to disclose unpatched vulnerabilities 180 days after vendor notification, although they waited almost two additional months before disclosing this week.

Read More

Share