cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

The Actuator – May 15th

Level 17

Had a great time at the Seattle SWUG last week. I always enjoy the happiness I find at SWUG events. Great conversations with customers and partners, and wonderful feedback collected to help us make better products and services. Thanks to everyone that was able to participate.

As always, here are some links from the Intertubz that I hope will hold your interest. Enjoy!

90% of data breaches in US occur in New York and California

There is no such thing as a “leaky database.” Databases don’t leak, it’s the code that you layer on top.

Top 5 Configuration Mistakes That Create Field Days for Hackers

And sometimes the code is solid, but silly default configurations are your main security risk.

A ransomware attack is holding Baltimore's networks hostage

Maybe Baltimore thought they were safe because they weren’t in California or New York.

Facebook sues data collection and analytics firm Rankwave

“Hey, you can’t steal our users data and sell it, only *WE* get to do that!”

Microsoft recommends using a separate device for administrative tasks

I’ve lost track the number of debates I’ve had with other admins that insist on installing tools onto servers “just in case they are needed.”

Hackers Still Outpace Breach Detection, Containment Efforts

It takes an intruder minutes to compromise an asset, and it takes months before you will discover it happened.

Watch Microsoft’s failed HoloLens 2 Apollo moon landing demo

This is a wonderful demo, even if it failed at the time they tried it live.

Breakfast at the SWUG, just in case you needed an incentive to attend:

SWUG-bacon.JPG

44 Comments

If most database breaches occur in CA and NY, isn't it most likely to surmise that most databases are also located in those spots?

Level 14

Logical and I guess most major companies would have main data centres in the main cities.  NY, LA and probably SF are the most likely to have major data centres.

Level 14

5 most common config mistakes.  How is that a news story.  Those aren't mistakes.  They are fundamental security lapses.

Level 14

Baltimore ransomware attack.

Apparently they have set up a special task force to look into this.  It is being headed by James McNulty with help from Lester Freamon.  Main suspects are Stringer Bell and Avon Barksdale.

The Wire - Wikipedia

Level 14

Facebook upset because someone else beat them to it.

Level 14

Microsoft recommending better security practices is a bit much.  Maybe if their products had even the most basic security we wouldn't be in the mess we are in. 

Level 14

Hackers will always be a step ahead.  We have to try to cover all bases and react to new attacks.  Hackers just have to think up new ways.  We have to be lucky all the time.  They just have to be lucky once.

Level 14

Microsoft's moon landing recreation.  Maybe the aliens on the dark side stopped it or is it a government conspiracy.     

Level 14

How come we didn't have bacon at the London SWUGs.  I'm upset now.

Level 12

"Leaky Database" makes me think of finger pointing during system outages. IT'S NOT THE NETWORK!

Level 14

It's ALWAYS the network.      

Level 12

Three of the top five security threats has to do with passwords in one way or another. Vendors could take steps to make secure devices as well, such as not having a default password and making admins choose a lengthy password the first time the device is used. Hackers will always take advantages of vulnerabilities and adapt to new security methods. It is worth trying to stay one step ahead of them.

Level 12

It's not easy to secure a database when someone at the NSA is handing hacking tools to China. And it's more fun when companies try to hide breaches instead of actively working against them and sharing knowledge so everybody can learn from how they were exploited.

Level 13

Oh boy!  My favorite thing! Another episode of the Actuator!

As always, thanks for a bunch of interesting links I'd have never run into if you hadn't pointed them out.

Had to laugh at the leaky database comment.  Since I don't live in either Ca or NY, guess I'm safe.

Level 12

That is what I thought until KMSigma shared "It's not the network" during a Seattle SWUG keynote. Then again he said "It's not my network!" so I think it is safe to say "it's ALWAYS the network" unless it is KMSigma​'s network.

I agree with the other comments about the Top 5 Security Mistakes.  Those areas are easy to correct, but they need a system and a staff to make the changes, or an automation solution that will do the job correctly for you.  Firewalling only goes so far, and if a malicious entity somehow achieved access to the internal network inside the firewall, not having these easy protections in place leaves a fox in the hen house.

Ransomware and Baltimore.  I wonder how THAT happened?  It's not like the entire world hasn't been preaching about ransomware and security for the last few years.  And it's not like there haven't been MANY stories about people and businesses and governments falling victim to ransomware due to missing or poor or incomplete security, or due to user ignorance.  I'm avoiding intentional insider infections/malfeasance since that's a different problem.

Really, opening unknown/unexpected e-mail and their attachments or responding to them . . .  using USB thumb drives AT ALL . . . not keeping your personal and corporate equipment secure . . . buying IoT items and letting them attach to networks, no matter at home or at work . . .

Silly people!  Just stop it.

Facebook isn't serious about securing its app.  If so, it would improve its product's user security, thus making it better from the users' point of view.  Which MIGHT reduce FB's profit margin.

Nothing shall stand in the way of the bottom line, I think.

They're not serious.  They can't afford to be.

But . . . can they afford to NOT be serious?

Requiring someone to use a separate / dedicated device for admin tasks, and NOT install admin tools on every device they might touch in a year?

That's good advice.  But it's a bit late in implementation. 

Training the user the right processes to do their job is step 1.

Step 2 is monitoring and verifying they're doing it right--and doing right EVERY TIME.

Step 3 is correcting inappropriate activity and showing that nothing will get through the cracks, no exceptions to the rule will be made.

Fourth is retesting for compliance failure, and then apply praise and reward or letting that person go from their job.  A company can't afford a single exposure, much less repeated vulnerabilities to be perpetrated, no matter the intent.

Hacking is faster and easier than discovering the hack.  It's why we can't have nice things.

Well, not really.  People behaving inappropriately, and it being hard to detect those actions quickly, and not being able to rapidly apply corrective training to those employees (or firing them) . . . those are the actual reasons we can't have nice things.

I'm not Microsoft's A-Number-1 Top FAN for various reasons, but I like the demo / rehearsal they made of the Apollo landing.  Rather than focusing on the demonstration failing during the press conference, I'd have been better served by The Verge telling us why it failed, and how it was later corrected.

Leave the throwing the mud of embarrassment onto Microsoft to others, Verge.  Just tell us the interesting technical facts; you can rely on us to draw our own conclusions.

I think Microsoft did a great job in that video, even if it was dry run / rehearsal.  I feel badly for them that the actual performance had a technical difficulty.

Honestly, how many people snickered to their coworkers and said "Houston, we have a problem."?

Community Manager
Community Manager

I approve this message.  As both a Network Engineer and a Systems Engineer in my last life, I can concretely say that it's never the network.... (until it is).

Level 14

The live demo issues remind me of the old WC Fields line of "Never work with animals or children."

Live demos are the worst.... it is just asking for Murphy to sit on your shoulder.....

Looks like this months patches from Microsoft are really important to the older servers in your fleet.

**************************************************************************************************

Microsoft warns wormable Windows bug could lead to another WannaCry

Company takes the unusual step of patching Win 2003 and XP. 7, Server 2008 and 2008 R2 also vulnerable.

From the article.

As if a self-replicating, code-execution vulnerability wasn’t serious enough, CVE-2019-0708, as the flaw in Windows Remote Desktop Services is indexed, requires low complexity to exploit. Microsoft’s Common Vulnerability Scoring System Calculator scores that complexity as 3.9 out of 10. (To be clear, the WannaCry developers had potent exploit code written by, and later stolen from, the National Security Agency, to exploit the wormable CVE-2017-0144 and CVE-2017-0145 flaws, which had exploit complexities rated as "high.") Ultimately, though, developing reliable exploit code for this latest Windows vulnerability will require relatively little work.

https://arstechnica.com/information-technology/2019/05/microsoft-warns-wormable-windows-bug-could-le...

RT

The patching will continue until security improves!

Level 14

Thanks for the articles!  As usual reading the comments is almost more entertaining than the articles themselves haha.

I mean SolarWinds saves our bacon so its fitting to have a lot of bacon

SWUG-bacon.JPG

But wow.   Yes i will take two orders, and two slices of bread please...  

Level 14

No No No.  That IS a single portion.       

MVP
MVP

As long as you have coffee to go with the bacon I'm set!!

Use the Bacon as the coffee stir...  

MVP
MVP

Hmmm.....that has possibilities....dual purpose.

Kind of like a floor polish and a dessert topping.

I can smell that bacon.  Hear it settling slowly down, crackling, dripping grease.

I love a few bites followed by a nice sip of pulpy cold orange juice.  Then repeat.  Until it's all gone or until I regret my actions.  Maybe both?

Level 20

Yummy BACON!

Level 13

As long as the incentives (read $$$) favor not doing anything about privacy/security you can bet they won't.

I fondly remember the Saturday Night Live skit for Shimmer.  It is a desert topping and a floor polish!

https://www.nbc.com/saturday-night-live/video/shimmer-floor-wax/n8625

pastedImage_0.png

I stir my maple syrup with bacon. 

pastedImage_0.png

MVP
MVP

I particularly appreciated the article from Microsoft about having alternatives to passwords. A pin and a card or token would be better than passwords.

I remember this one.  The audience loved it.  Chevy did a perfect job mocking advertising hosts.  And the performance by Gilda and Dan was exemplary for its mimicry of stereotypical nuclear family bases in that socio-economic strata for that ethnic group.

But . . .  EEEwwwwww!

I appreciated my organization implementing MFA for better remote-access security.  But then they applied it quite aggressively to certain environments that not only require MFA, but use a different domain, different user names, and mandatory 30-day password changes.  Sigh . . .   Now I find it less enjoyable.  I also question whether users of this "more secure" environment might be compromising best practices with their passwords.

Level 16

The article about Microsoft is very interesting. Nice approach.

"Provide zero rights by default to administration accounts," the Microsoft Security Team also recommended. "Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system."

MVP
MVP

Cool article

MVP
MVP

Breakfast at the SWUG, just in case you needed an incentive to attend:

Level 14

Yep, Advertising is a waste of time.  Oh, hang on a minute.  I work for a global Ad agency.  oops     

Level 14

That's my Saturday morning breakfast and tomorrow is Saturday.    

Level 13

Thanks for the articles

About the Author
Thomas LaRock is a Head Geek at SolarWinds and a Microsoft® Certified Master, SQL Server® MVP, VMware® vExpert, and a Microsoft Certified Trainer. He has over 20 years experience in the IT industry in roles including programmer, developer, analyst, and database administrator.