East of Eden

The latest in Windows 10, end user devices and services, cyber security, data center & cloud, and all things IT.

Blog Feature

Cyber Security

NIST Panel Finds That NSA Influence Over NIST Weakened Crypto Standards

By: Andy Sherman
July 18th, 2014

There's an interesting article in Computerworld about the report of a blue-ribbon panel of the NIST looking into allegations in the Snowden documents that a key cryptography standard was weakened by the inclusion, at the NSA's behest, of a weak pseudo-random number generator.

Read More

Share

Blog Feature

End User Devices and Services

What Is Your Smart Phone Saying About You?

By: Andy Sherman
July 6th, 2014

Short answer: much more than you think. Recently I heard a fascinating Planet Money podcast on a project called Project Eavesdrop (podcast here) which NPR's Steve Henn conducted jointly with Ars Technica's Sean Gallagher and Dave Porcello, CTO of Pwnie Express, who make penetration testing tools. The point of the project was to determine what you could find out about a person's internet activities by passive monitoring of their Internet traffic. They monitored Henn's smartphone when it was connected to the WiFi in his home as an analogue to a signals intelligence service's (e.g., NSA or GCHQ) monitoring of the internet backbone. The results were astounding. Henn invited Gallagher to install one of Pwnie's devices in his home office so that Porcello could snoop away at his phone's online footprint when connected to the WiFi hotspot. To be clear, the Pwnie device's WiFi was secured with WPA, so this was not an over-the-air snooping test. This was a simulation of what was being disclosed over the backbone.

Read More

Share

Planning for Windows 10 Starts Now

Planning for Windows 10 Starts Now

Develop a transition strategy for a successful Windows 10 upgrade, and make this migration your best.

Blog Feature

Cyber Security

Podcast Recommendation - TED Radio Hour

By: Andy Sherman
June 27th, 2014

It takes me a fair amount of time to get to some of the client sites I work at, so I'm always looking for interesting podcasts, which are especially useful in areas where audio streams cut in and out. Based on a teaser at the end of NPR's Planet Money podcast, I tried the NPR TED Radio hour (podcast information here), and now I'm hooked.

Read More

Share

Blog Feature

Cyber Security

Embedded Vulnerabilities

By: Andy Sherman
June 10th, 2014

I was working with a client implementing a vulnerability scanning program. We were analyzing some results when I noticed a few systems vulnerable to Heartbleed. This was a surprise, since it is a Windows shop, although the scan showed a lot of Tomcat around (presumably vendor systems) OpenSSL is not used by Java either. We ran it down and it turned out to be the server management GUI for a couple of machines. This reminded me that there was a fair amount of embedded code, management GUIs for servers, router firmware, etc., that could be vulnerable. What to do? My friend Steve Bellovin would say the most important thing is "Don't Panic." I concur. Also, don't aggressively scan for it if you have older servers on your network. HP's note on Heartbleed and embedded code notes: IMPORTANT: Reports have been received that scanners used to identify the Heartbleed vulnerability cause first-generation Integrated Lights-Out (iLO) and Integrated Lights-Out 2 (iLO 2) to lockup and become unresponsive. Although the server's operating system will continue to function normally, first-generation iLO and iLO 2 will no longer be responsive over the management network. To recover, power must be PHYSICALLY removed from the server. HP recommends not using vulnerability scanners to test first-generation iLO and iLO 2 devices, as these products are not vulnerable to the Heartbleed vulnerability.

Read More

Share

Blog Feature

Cyber Security

Seven Month Old IE8 Zero Day Disclosed (And It Won't Be Patched)

By: Andy Sherman
May 23rd, 2014

In October, HP Tipping Point's Zero Day Initiative notified Microsoft of a use-after-free vulnerability in Internet Explorer 8 that could potentially allow remote code execution by an attacker. According to ZDI, Microsoft confirmed that the reproduced the bug in February, but took no action. ZDI's policy is to disclose unpatched vulnerabilities 180 days after vendor notification, although they waited almost two additional months before disclosing this week.

Read More

Share

Blog Feature

Cyber Security

Another Day, Another Breach: This Time eBay

By: Andy Sherman
May 23rd, 2014

EBay is asking all of its users to change their passwords, following a recently discovered data breach from late February. Apparently employee login credentials were compromised, allowing intruders to access a database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. Unfortunately, data breach announcements throw around the term "encrypted password" loosely, so we don't know if they are encrypted (meaning they can be decrypted with a key, not a best practice), or hashed (meaning they cannot be decrypted, which is good). In either case, there are bigger risks associated with the breach of personal data that could be used to aid identity theft.

Read More

Share

Blog Feature

Cyber Security

Not So Quiet On The Eastern Front

By: Andy Sherman
May 23rd, 2014

What Happened This Week The US Department of Justice announced charges against five members of the (Chinese) Peoples Liberation Army Unit 61398 for cyber industrial espionage against Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies Inc., the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union, and Alcoa Inc. (News coverage: NYT, WSJ (may be behind their paywall), Washington Post) The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs). In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity. “This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.” While these are serious allegations, there was a certain high theater about this. The Attorney General held a press conference. The DOJ and FBI issued press releases, complete with "Wanted By The FBI" posters with color pictures of each of the PLA officers and the note that if you see one of these people to call your local FBI office. Somehow, I don't expect any of them to plan a trip to anyplace with an extradition treaty with the US anytime soon.

Read More

Share

Blog Feature

Cyber Security

Freedome From The NSA, Your Boss, Or Anybody Else Watching You

By: Andy Sherman
May 21st, 2014

Disclaimer: These notes are neither product recommendations or complete reviews. They are intended to share a couple of things I'm playing around with right now. Feedback in the comments section would be welcome, especially shared experience with these apps. F-Secure Freedome VPN F-Secure, the Finnish security company, has made a bit of a splash in the technical media (not to mention Forbes as well) lately with their mobile VPN and security app Freedome. Freedome is intended to enhance anonymity and reduce tracking for mobile device users on iOS and Android. F-Secure claims: "We’ve gathered the most sophisticated security features – VPN, anti-virus, anti-tracking, and anti-phishing – into one intuitive service. With the push of a button, Freedome watches your back."

Read More

Share

Blog Feature

Cyber Security

Is Antivirus Dead?

By: Andy Sherman
May 15th, 2014

Brian Dye, Symantec's senior vice president for information security, caused lot of virtual ink to be spilled when he told the Wall Street Journal that antivirus "is dead. We don't think of antivirus as a moneymaker in any way." According to Dye, traditional signature antivirus picks up about 45% of cyber attacks. Eeva Haaramo points out on ZDNet that this is not news. Symantec's endpoint protection products (as well as those of their competitors) already look for suspicious activity that may come from previously unseen viruses. They also integrate a local firewall, spam protection, and other new features.

Read More

Share

Blog Feature

Cyber Security

DIY Crypto: Just Say No

By: Andy Sherman
May 14th, 2014

There's been a lot of hand-wringing about the current state of cryptography lately. We've had two publicly disclosed bugs that rendered widely used cryptosystems ineffective in some cases. One was Apple's "goto fail" bug in iOS, which could allow an attacker to intercept all traffic in what the user thought was a secure session. The other was the "Heartbleed" bug in OpenSSL which allowed the compromised of data in memory of an SSL server, including private keys.

Read More

Share