cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

The Actuator – May 1st

Level 17

Happy May Day! We are one-third of the way through the calendar year. Now is a good time to check on your goals for 2019 and adjust your plans as needed.

As always, here are some links from the Intertubz that I hope will hold your interest. Enjoy!

Departing a US Airport? Your Face Will Be Scanned

My last two trips out of DTW have used this technology. I had initial privacy concerns, but the tech is deployed by Border Patrol, and your data is not shared with the airline. In other words, the onus of passport control at the gate is being removed from the airlines and put into the hands of the people that should be doing the checking.

Password "123456" Used by 23.2 Million Users Worldwide

This is why we can’t have nice things.

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps

“…he realized that all customers are given a default password of 123456 when they sign up.”

Some internet outages predicted for the coming month as '768k Day' approaches

The outage in 2014 was our wake-up call. If your hardware is old, and you haven’t made the necessary configuration changes, then you deserve what's coming your way.

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

Finally, some good news about passwords and security. Microsoft will no longer force users to reset passwords after a certain amount of time.

Ethereum bandit makes off with $6.1M after bypassing weak private keys

Weak passwords are deployed by #blockchain developers, further eroding my confidence in this technology and the people building these systems.

Many Used Hard Drives Sold on eBay Still Contain Leftover Data

Good reminder to destroy your old hard drives and equipment.

data-privacy-day.jpg

50 Comments
Level 13

As always, thanks for a bunch of interesting articles.  Ethereum weaknesses, hacked tracking and unwiped drives.  Oh my!

Level 14

this is why all drives are shredded on site by my vendor.

Level 16

They have been using fingerprints to some extent on re-entry if you are not a US citizen. 

Departing a US Airport? Your Face Will Be Scanned

Level 16

I have been using !@#$%^  for the longest time, way more secure.

Password "123456" Used by 23.2 Million Users Worldwide

Level 14

sqlrockstar​ got any secret bacon recipes on those puppies?

We have started to moved the AD password requirements closer to the new NIST standard like Microsoft, the 60 day expiration is going away. I like what replaces it, the blacklist seems pretty effective.

Azure AD password protection - Azure Active Directory | Microsoft Docs

Level 16

Another reason I still have a 90's Jeep. I borrowed my wife's new SUV last weekend and it beeps every time you swerve for a pothole in the road. In my state (Michigan) the road resembles the surface of the moon. The beeper sounded like some kind of techno drum beat.

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps

Level 16

Regarding facial recognition scanning at airports, I see the need for accurate and immediate and positive identification.  I have two concerns:

  • Securing the digital data. Once you have my PII digitally, it seems vulnerable to misuse and theft.  Based on stories from the last thirty years, it seems anything on the network can be copied and shared or stolen or manipulated.  Do I really want something that's unique to me (retina patterns, fingerprints, DNA) captured and stored digitally where it's not in my sole control?  Naw, not until someone proves it will always remain secure.
  • Relying on scans to be accurate. Technology may improve, but the scans have had a poor track record, and let inappropriate entry occur while occasionally denying users from entering due to mis-identifying them. Some recent examples of problems are reported from London's Heathrow area:   Facial recognition tech used by UK police is making a ton of mistakes | WIRED UK   and London's Met Police: We won't use facial recognition at Notting Hill Carnival • The Register

Once this is resolved and the tech is claimed reliable, how will we verify the claims?    Since security remains a moving target, it seems reasonable to believe that:

  • Certain users will find ways to mask their identity from scans
  • Some individuals or groups will steal or manipulate Data to defeat the security.

A really determined person or group will implement move-quality-gardeSFX cosmetics to make them look like someone else and defeat the scanners.  Example:  Robbers Find Creative New Use For Movie Special FX Masks - YouTube

When poor passwords are used, it brings some thoughts to my mind:

  • "Users who rely on this poor practice deserve the problems they'll get."    But this is so harsh, so unforgiving, I don't even feel comfortable sharing it.  Shouldn't systems be smart enough to force good passwords on users?
  • "Let's find ways to force people to use stronger passwords."  OK, forcing users to do ANYTHING is problematic at best, and impossible at worst.  Someone will find a workaround that will be even worse.
  • "Require MFA for everything."  It seems reasonable, right?  Anyone who's using the Internet MUST have another authentication venue available . . . or DO they?  Maybe not . . .
  • "Once MFA is required for everything, some enterprising individual or group will find a way to defeat it."  OK, that's just defeatist and pessimistic and unrealistic.  But, perhaps . . . accurate?
  • "If you can't learn to follow good security practices, you won't be allowed to use online systems that require good security."  Harsh.  But what else can be done?
  • "Start working to improve the morals and ethics of everyone so they stop abusing security vulnerabilities."  You DO have your "Ultimate-Power-Magic-Wand" ready, don't you?
Level 13

Thanks for the articles.

I didn't remember "Day 768K" was going to be a thing.  Thank you for reminding us.

Level 14

They have been scanning faces in the UK at airports for years.  Many years ago I had my fingerprints scanned at Narita (Toyko) airport as a condition of entry.  This isn't really new.  It just depends on what they use it for.  Security - yes, tracking known players - yes.  Tracking law abiding folks - no.  As it is government it will be pretty insecure too. 

Of COURSE Microsoft doesn't want to force users to change their passwords regularly.  Why would they, when the users' problems are the users' problems, not Microsoft's. 

Disgusted with MS.  Again.

Level 14

Passwords are a very contentious issue.  I've always been against long complex passwords as they are so difficult to remember that most people just write them down.  I have to remember hundreds of them for work and even more for personal stuff.  Pass phrases or combinations of short unrelated words are much better. 

Level 14

Thanks for the articles!  And thanks for the 768k day reminder.

Level 14

Turning off car engines remotely.  Two apps made in China.  Poor security.  Where have I heard this before.  Huwaei all over again.

Level 14

768K Day.  Now should I check with our network guys to see if they are aware or just wait to see what happens..    

Level 14

It's about time Microsoft dropped the password expiry policy.  I've been trying to get manglement here to do that but they won't because Microsoft say no.  Now they say Yes it will be interesting to see what happens. 

Level 14

Hmmmm.  More virtual currency being stolen.  Kinda confirms my suspicions that they aren't secure enough.  Glad I don't have any.

Level 14

I've always shredded old drives.  Maybe it's my paranoia.  I did work at one site where, when we replaced a drive the client took it away, shredded it, exposed it to high strength radiation and then encased the remains in concrete.  To be fair, the data was extremely sensitive.

That article about Ethereum was interesting.  Honestly, most anyone investing in blockchain doesn't understand that jumping on that bandwagon was never a good idea.  Maybe they'll learn by losing their investment? 

No, probably not.  That would suggest they learn from studying history (even if it's their own).  And if they learned by studying history they would never have invested in blockchain to begin with.

I remove my own hard drives from equipment before recycling the equipment, and I use a hard drive shredder on them.

The same goes for my business.  It's an expensive and inconvenient bit of labor and service, but it's the only solution we've found for safeguarding data on disks.

Now, disks include SSD's installed within Cisco L2 and L3 switches in the 93xx, 94xx, and 95xx lines, to name a few.  Reselling/recycling them in the coming years will be more expense and inconvenience for my team.

I could not take in one more BGP route....

Facepalm.

Level 12

So the passowrd is one, two, three, four, five. That's the stupidest password I've ever heard in my life! That's the kinda thing an idiot would have on his luggage!

Say it with ST:TNG style!

pastedImage_0.png

Or be skeptical!

pastedImage_1.png

Or just try to explain it as if you were speaking to a child:

pastedImage_2.png

Level 12

When disposing of old hard drives I use a DoD 5220.22-M compliant wipe and don't believe anybody is going to retrieve useable data after seven pseudo-random wipes. With notebook hard drives I can buy cheap USB enclosures to repurpose them instead of destorying them and buying other external hard drives.

Level 17

No, I keep the secret ones on a floppy drive, much more secure these days.

Level 17

Face scanning at the gates, or do you mean at passport control? We have face scanning at passport control, but at the gate is new. I haven't had my face scanned at the gate leaving the EU or UK yet (as far as I can remember).

Level 17

Rotation of passwords does not lead to better security. Dropping this forced expiration is a step in the right direction.

Level 12

512K was riot, 768K is going to kill it, I can't wait for 1024k Day!

Some internet outages predicted for the coming month as '768k Day' approaches

I'm all for improving this.  Even if Microsoft takes the lead.

One of my critical environments is managed by our InfoSec Group, and they require both MFA and 30-day password expiration.  It's ridiculously inconvenient, but it's not about my convenience (obviously).  However, this also results in some players finding methods of quickly creating easily remembered (or discovered/hacked/extrapolated) passwords.  And that's the opposite result of what InfoSec wants.

Level 13

Wipe your drives.  Number one thing.

Level 14

Will a damp cloth do ?

Level 13

I probably shouldn't be, but I'm pretty amazed that people even *sell* used hard drives on eBay (or buy for that matter - it could go both ways).  It's not like they are expensive. 

MVP
MVP

Cool article

MVP
MVP

Many Used Hard Drives Sold on eBay Still Contain Leftover Data - true v true.

Level 11

If you sign up for the US Global Entry, you have your fingerprints scanned and picture taken. When you re-enter the US from ports abroad, then you can go to a kiosk and do everything there without going through customs. It's really quick, but again, your face and fingerprints are on file along with PII unfortunately. It is almost like going into Japan, where they scan your fingerprints and take a picture and makes going through the customs so much easier.

Our InfoSec team has shown us several articles revealing that wiping a hard drive, even multiple erase passes, isn't sufficient for legal / liability purposes.  I (mistakenly / naively?) thought "an erase is an erase"; that it was "completely erased".  Especially when the erase pass writes random 1's and 0's.  It's not enough.

Apparently there's too many types of too-sensitive equipment that can read latent magnetic 1's and 0's off an erased disk, and those readers are too inexpensive and too accessible.

The only acceptable method of retiring/recycling our hard drives, for liability purposes, is shredding.  We're in the medical care industry, and Personal Health Information (PHI) is deemed to valuable and too susceptible to inappropriate use for us to risk it being recovered by some enterprising and unscrupulous person or group.

Right along with PHI's value and vulnerabilities is the Personal Identification Information (PII) and PCI (Payment Card Industry) information that might be present on a hard drive.  All hard drives get shredded to protect that data.

When you consider we have about 60,000 devices on line today, with a replacement life cycle targeted at six years, we have to be able to shred up to 10,000 hard drives every year.  You might break it down to 200 hundred a week or 40 every day--and it doesn't sound too bad a task.  But throw in the scheduling of down time, the paperwork, the shipping all of the PC's to one location, the physical opening of the boxes & removing the hard drives, the cost of having a contractor's shredding / recycling truck show up on a regular schedule . . .   Don't forget the ordering of replacement PC's, tracking them, shipping them, configuring them, installing them . . .

Google shows the cost of shredding a hard drive runs between $12 and $50 per drive, depending on region and quantity.  Multiply that by the 10,000 drives per year and you spend $120,000 to $600,000 per year securing hard drives.  Forever.

It's one reason why we prefer Citrix solutions and Thin Clients.  Many fewer hard drives to shred, no worries about a TC being stolen and opened for its hard drive.

Five or ten seconds per hard drive--if you drop them in one at a time:

SSI's Shred of the Month: E-Scrap - Hard Drives Shredding (Q) - YouTube

Level 14

Love to password stories.  People make it too easy.  Job security for me.

Level 14

I'm sure!

MVP
MVP

Password "123456" Used by 23.2 Million Users Worldwide - whoa

Level 16

Put them next to an MRI machine and they will be wiped.... once you and a few others detach them from the MRI.

pastedImage_0.png

Wow!  I've a basic understanding of some of the risks in an MRI environment, but that picture . . . either it's funny or it's scary.  Do you know if it represents an actual incident, or was it set up to make a point for safety?

Level 16

Sounds like this would make a good movie plot.

Ethereum bandit makes off with $6.1M after bypassing weak private keys

MVP
MVP

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps -

MVP
MVP

The ability to hack a vehicle is not new, it was done a couple of years ago via an exploit in the wifi and the vehicles bus allowing them to install malware into the entertainment system giving it access to the vehicle. 

Being able to use the gps tracking app/device just goes a step further.  Old school still works and is effectively air gapped with a standalone GPS unit.

Not sure how secure the apple car-play and android auto are when connected with USB cable or event wifi or bluetooth.  Connected means opportunities may exist. 

convenience or security is the question.  how much is each worth to you?

Level 14

Old school way to hijack a car ...

Image result for bent wire hanger

A friend and I were supporting an race event on the Guadalupe river called the Texas Water Safari with Amateur Radio Communications (Digital and Voice) in the late 1980's out of his motor home. 

Who wants to paddle a canoe for 260 miles....non stop...for a trophy?

We were parked near the river taking down boat numbers as they passed just up river from Victoria Texas.  This data was sent to the race officials so they can keep up with the boats and people.  It was very important because some of the contestants have died over the years.  In 2012, one died from a lack of salt in their body...they drank water only and sweat out their salt.  

Basically we were in the middle of nowhere and we heard a knock at the door.  A nice lady asked for our help because she locked her keys in the car.

I checked out the mid 70's car and it looked easy since the back door lock pull was near the gap between the windows and there was nothing in the way.

With a wire coat hanger and a pair of heavy pliers I cut the hanger and formed a sharp V to snag the door lock.  I slipped the V wire into the window gap and behind the door lock, snagged the lock and pulled up.  It worked in seconds.

The nice lady looked at me like I was a master criminal.  I looked back and said I was lucky to get it on the first try.  Then thanked us and was on her way.

RT

P.S. The primary requirement is a boat powered only by human muscle. Racers must take all equipment needed with them, receiving only water, ice and food along the way.  Just finishing the race is an accomplishment.  It starts in San Marcos Texas and ends on a beach in the Gulf of Mexico near Seadrift, Texas. 

About the Author
Thomas LaRock is a Head Geek at SolarWinds and a Microsoft® Certified Master, SQL Server® MVP, VMware® vExpert, and a Microsoft Certified Trainer. He has over 20 years experience in the IT industry in roles including programmer, developer, analyst, and database administrator.