Tuesday, November 25, 2014

Clickbait Alert: The Latest Smartphone Security Alert

This is exactly the kind of security warning that trends towards "Clickbait":

Smartphone security alert: 87% of iPhone and 97% of Android top 100 apps hacked

First of all, there's the number, then there's the terminology.

What do we mean by 'hacked'? Was there a data breach? Was the Apple or Google app store hacked?


The report from ArXan, "State of Mobile App Security, Apps Under Attack", Volume 3 – November 2014 has this to say:
The 2014 State of Mobile App Security analysis followed the same methodology as last year’s research, which included identifying and reviewing hacked versions of top iOS and Android apps from thirdparty sites outside of official Apple and Google app stores.
Users know, even if they ignore, that installing apps from third party sources is risky.
While it is important to know that such a high percentage of apps that are distributed outside of the app store have been infected with Malware, the report does not show any compromise of the app store or these companies' infrastructure. However, other research linked in the article, available here, deals with those issues.

The Register had this to say:
As a specialist in application protection, Arxan has an obvious vested interest in talking up the threat from poorly protected mobile apps. However, that's not to say it isn't onto something. The recent discovery of the WireLurker iOS malware provides evidence that the issue of tampered apps is a real and present danger.
So, I guess, important to know. Perhaps this becomes a reason companies should avoid putting out branded apps, or for sectors that deal with private information - should employ technology (such as ArXan's) which helps to tamper proof the code.

Bottom line: 87% of reports that the sky is falling - need to define the term "sky".

Wednesday, November 12, 2014

What does 'Governance' mean to you?

What does 'Governance' mean to you?

To me it means dealing with politicians, Red State / Blue State, and the current raft of temporary political theories. It means Fox News vs. the John Stewart show.

In the tech world it has come to be used to refer to having policies and procedures that support a technical infrastructure. Microsoft has elevated this usage as it has promoted SharePoint. Why? Because SharePoint is an enabler for the end user. It is among 'content management' systems which allow the end user to create information storage systems. The worry is that these systems will grow like weeds, with no control, without 'Information Architecture' being considered. It is a legitimate worry, but the greater worry is 'Adoption'.

What does 'Adoption' mean to you?

To me it means children finding a new home. In the SharePoint world it means that there is a large portion of the installed base that is not using SharePoint. It could be because of missing functionality, lack of user buy-in, lack of executive support.

User Adoption is a real problem. But underlying the issue is a darker reality. A lack of User Adoption may result from the executive, or most likely IT acting in a vacuum. The tail wagging the dog.

Sure SharePoint is a cool thing to implement. But what does it do that we don't already have in place?

  • Replaces file shares
  • Allows collaboration
  • Information portal
  • Replaces Exchange calendaring
  • Search Capability
  • Document Management
Most of these functionalities are in place already in many businesses, with more purpose built systems that are, as a result, more finely tuned to business activity. SharePoint is a generic Swiss Army knife of features. It doesn't have as many embedded business rules as purpose-built systems.
(That is one reason why after-market products are quite important.)

Words Matter
By dressing up these basic requirements of our technology projects - Microsoft and IT 'elevate' the discussion. We tend to fool ourselves into thinking that we know what is best for our business. Maybe we're following the herd mentality? Maybe we are trying to stay relevant?

Until recently the term governance was rarely seen alone - most often it would be written 'Good Governance' or 'Bad Governance'. But 'Governance' became a buzz word used by consultants, and it is now frequently seen in email marketing. And this marketing drives us to implement governance before any project begins. And sure, policies are good to have. But we need to get our community behind us before any project begins.

Governance means nothing if it is a bunch of rules that the business (either explicitly, or de-facto) does not agree to. On the one hand, the IT organization writes up rules but the business management is not engaged. This is the curse of middle management! On the other hand management may be engaged but is unable to push through changes in procedure - as users will always try to find the easiest way to work - which may mean going around the system.

User Engagement
We need to practice user engagement. In a customer service context, some have called this 'customer delight'. We could call this 'user delight'. If we're not providing a better solution than DropBox, then our users are going to use DropBox. Otherwise we are like the tail wagging the dog. It kinda works, but it's never a sure thing.

User Engagement was the topic of a recent article in SharePoint Pro magazine:

Monday, April 14, 2014

Sensatronics EM1 Environmental Sensor with PRTG

Monitoring the EM1 Sensor from PRTG
How we got here...

In the past we have had issues with the A/C in our computer room. The A/C unit was spec'd out with a consumer grade unit (Carrier) rather than a more traditional unit. Unfortunately the unit was not optioned to run in cold weather, and there were issues with charging the unit that required extra maintenance.

As so our locked room would occasionally have a propped-open door with a fan exhausting heat into the office. Of course we care about physical security, and the prospect of increased downtime when these failures occur on a weekend or during a vacation. So we looked around for a simple environmental monitor and came up with the Sensatronics EM1 (around $500) and Overseer software.

Overseer is designed to run on your workstation, which means leaving the machine running all weekend. Loading it up in a VM produces inconsistent notifications. And we also need to collect syslogs.

So, we are evaluating PRTG. PRTG loads up on top of Windows 2012 in a VM, does an auto discovery (here I blocked it from discovering desktops lest I get notified every time someone shuts down). And there is a Beta version syslog repository. Good start...

There is a monitor in our APC UPS which was discovered properly. But since we bought the EM1 monitor I figure let's give it a try. The EM1 has additional sensor capacity, and I could use it in a new location.

Key Tricks

Getting started - PRTG doesn't ship with the device information for the sensor built in, so auto discovery will not work. But, PRTG does have a concept of templates for the devices. And Sensatronics has a zip file of basic device configurations here. Update 7/2017: The zip file is no longer on Sensatronics' website, best option is to call support.

Load the extracted files into the program directory for PRTG on the server, in our case:
\\prtg\c$\Program Files (x86)\PRTG Network Monitor\devicetemplates

With the templates loaded we need to create the new device as follows:

In PRTG we need to do two things:
  1. Create a new group, (I called it SNMP V1) because the SNMP version is inherited from the group.
  2. For SNMP set the inheritance of settings OFF, and set the version to v1
Now we create a new device in PRTG, and specify as follows:

Start the discovery and you should get:

Which is at least data. The temperature is the main point, it's not 8 degrees in there. The web page on the sensor shows this:

And so here is where I call Sensatronics for Tech Support :-)
And.. the answer is, the template for the device has an error. In the column 'division' the entry should be changed from '10' to '1'. Do this in all the sensors. In my case I only have three sensors active.

And the result:

(Yes we do run hot. Saves energy.)

So there you have it. Thanks to Keith from Sensatronics for the final tip!

Saturday, April 12, 2014

A Password Odyssey - Two Well Liked Password Managers

About the Contendahs

The Open Source program KeyPass is great for generating and securely storing all sorts of information (passwords, web addresses, SSH keys, ftp logins, even combo lock codes)

LastPass is a web service that securely stores your password information. It runs in the browser and there is no desktop app. There is also a mobile app if you pay the 'freemium'.

Both systems can use a master password for the repository. But Keypass has other options, and one is to use the windows logon credentials to open the database. Both systems are generally secure options.

Lastpass seems to be best for storing website credentials. Keypass is more general purpose and gives greater flexibility (maybe too much?), such as choosing your encryption algorithm. And I have used it as a place to store all sorts of access information, including combo lock codes, ftp logins, and encryption keys.

A great feature of Lastpass is to let it choose passwords for sites, and store them, so that you don't need to remember those passwords. It helpfully reminds you when a password is duplicated between sites, to make each site's password unique. This way you are not relying on your browser or operating system to store your web site passwords. For a little more money, you can get an App on your iPad or smartphone.

Keypass is more the free swiss army knife of password encryption. You need to move that encrypted password file around with you. Or save it in Dropbox and open it from wherever you are. (That feature is front and center in KeypassDroid.)

In the Heartbleed story, Mashable referenced Lastpass. And so I looked into using it as a place to save and update passwords. Looking for browser integration, I decided to give it a try. Converting from Keypass2 KDBX format was not straightforward.

Converting from Keepass2 to Lastpass

Lastpass suggests using a Keypass XML format export with the Lastpass import routine.
The XML import resulted in a series of notes with credentials stored in them,
instead of a list of sites and the username and password stored in the correct field.

The obvious thing to try is a CSV export.
Save the database as a CSV.
Edit the CSV to match the column format in Excel. (Yes you still need that!)

Details: https://helpdesk.lastpass.com/getting-started/importing-from-other-password-managers/#Importing+from+a+Generic+CSV+File

Unfortunately, my favorite Mac Keepass port; KyPass Companion did not allow CSV export, so I had to fire up a PC to convert the data.

The next thing to note is that the import process un-checks entries without a URL. I always used Keepass as a reference, so I did not have a URL for each site. Without the URL, the browser integration piece is broken.

So, you really want to track down the URLs and enter them in your CSV file before importing the CSV. In any case you will want to decide whether to check the entries for sites that would otherwise not be imported during the process.

Running the import with an edited CSV

With a complete CSV, Lastpass complains about using Chrome during the import - so I had to open up Safari. Or install Firefox. Safari worked just fine.

Final Impressions

Both programs seem to be secure. Lastpass is only free in two ways: Free in the browser, and free as in beer. Keepass is open source, and so the source code is available for review (free as in freedom); and there is no cost unless you wish to pay for a specialized version such as  KyPass Companion.

Given that the Heartbleed OpenSSL bug was available for review for two years before it was discovered - the freedom argument is even more of a philosophical one this week.

Keepass is definitely the winner when it comes to a convenient file based manager.
If you're OK with Dropbox, that is also a really handy way to sync Keepass files.
And I think it is better as a swiss army knife, to store items other than website login information.

Having used Lastpass for a few minutes - it really is easy to jump onto a website with browser integration. Having looked at how they claim encryption is done in Lastpass, seeing that the passwords are encrypted before they reach the server, that is another great feature. If the server is compromised, your passwords are still encrypted.

When changing passwords, however, the browser integration is annoying. Unfortunately the app does not overwrite (clear out) anything that was previously entered in these 'new password' fields when it inserts the new replacement password. But you can work around this by generating a new password. Then copy and paste your generated new password into the two 'new password' fields directly before updating.

Make sure the 'old' password is good. It's easy to get out of sync when generating a new password. You might want to copy down the old one before you make any updates. Particularly in a case where there is no easy password recovery option.

Parting Thought

I am not sure if I will be comfortable with a process where I never see the password itself. Generally I remember many dozens of passwords, so until now Keepass has really been a backup. What if Lastpass goes down?

Thursday, April 10, 2014

Moving a Mac iTunes library to a NAS device - the most overlooked step...

Moving iTunes library to a NAS device

So, I bit the bullet and picked up a NAS device to offload AV files from my Mac.
Now I want iTunes to run from the network disk drive instead of needing to keep the Mac on all the time. It takes less juice :-)

I followed a couple of different walk-throughs:



Most overlooked setup detail

The key point from the ARS article is this: If the drive is not mounted at boot time, iTunes will not play. It also won't sync to an iPad or other device.

Key was to go into the "Users and Groups" control panel and select "Login Items".
Here you can navigate to shared network resources, and set them to mount at login.

The drives need to be mounted before iTunes is launched. iTunes did move my music library to the external device, and correctly updated the file location, but it just chokes when it tries to play.

I had to reboot the Mac to ensure that the drives were mounted before it would work.

So, now we can share iTunes to PCs wirelessly. But for other devices the story is not straightforward, the NAS device does not have iTunes' home sharing. So accessing these media resources will happen through a non-Apple app from the iPad unless it has been synced through the Mac.

Tuesday, April 1, 2014

Changing the root password in VMware

OK, so its not supported. Don't do this at home folks. Or at least test it first.
Some days you just need to hack things into shape...