Archive for the 'Security' Category

Page 3 of 5

Beware of Geeks Bearing Gifts

Published on June 9, 2006 in Security and Techie. 0 Comments

Trojan USB

Seen any neat USB drives laying around recently? Could be a trick.

If you are like me then you could probably relate to the hapless credit union employees gathering up free USB drives and plugging them into their computers.

There are several reasons:

1. Looking for identifying information on whom the drive belongs to (that would be my reason).

2. Curiosity and general snoopiness (I will not admit to that being my reason).

3. Desire to have a free USB drive (I didn’t take the first 4, but I will take the fifth).

Autorun
You can read the comments at the bottom of the article and see the discussion about Autorun, and I would suggest turning that off.
For Microsoft users, you can grab the TweakUI Powertoy provided by Microsoft, or you can just open up “My Computer” and right click on your CD or DVD drive and select it to “Take no action” or “Prompt me each time . . .” under the “autoplay” tab. For USB drives you can plug one in and then do the same thing. For floppy disks you should just not bother using floppy disks.

Click Click Clickity Click
In the story it appears as though Autorun was not the culprit. Rather it was curiously clicking files that cause them to activate. This would also be a threat for Mac computers if the written code was designed for a Mac. If someone is targeting you then they would write it for your system so the feelings of invulnerability in a Windows world would become a liability.

Security Policies
One commenter stated that all employees who fell for it should be fired. While at the time of this post there were some replies against his comment none of them included an important consideration. I have several people working for me doing security. Each one of them has made a bad mistake that compromised the security of the building. My rule is that a mistake is not a firing offense but rather an opportunity for education. Once the problem has been pointed out and discussed then the likelihood of a repeat on the error is minimal. Why fire someone for making a mistake when the person who hire to replace them will make a similar mistake. If God killed us at the moment of our first sin then I wouldn’t be writing this and you wouldn’t be reading it.

Update – June 12: I have been looking at updates to this story and decided to add them here.

1. According to a response from someone who appears to be with the company that did the USB attack, they simply relied on people having the “hide extensions for known file types” option selected. I hate that option. I have it off on my computers, but I support people who use it and so troubleshooting over the phone is difficult when they have no idea what they are clicking. The extension is one more level of protection to help Windows users.

2. There is software that will help protect you from USB issues like this, but the low tech option looks cheaper (grab some glue).

The next USB drive I find laying around at the church will be plugged into a computer. Hey, if one of the ministers loses important information I want to make sure it gets back to them. However, I will be a little more careful.

Security Now!

Published on June 2, 2006 in Podcasting, Security and Techie. 0 Comments

If you want to know the joke behind the name just Google Serenity Now.

If you want to know what it is about, check out the Security Now page from Steve Gibson’s Gibson Research Corporation site. If you don’t know who Steve Gibson is then you have not been paying detailed attention to computer security for a long time.

Steve is an old school Internet guy who does his programming in Assembly Language and his web design in Plain Old Html (POH). So, while some of what he talks about seems very arcane he knows a lot about the basics of computers and networking.

I have been listening to his podcast for a few weeks now and have listened to just about all of them up to this point (#42 NAT Traversal is on my mp3 player right now). Each podcast episode has a high quality mp3 (12MB – 34MB) for broadband users, low quality mp3 (2MB – 8MB) for slower connection, transcripts (in html, txt, and pdf), and sometimes supplimentary notes).

The episodes on How the Internet Works, How Ethernet Works, WiFi Security, and desktop computer issues are quite an education in themselves.

Google Research

Published on May 15, 2006 in Security. 0 Comments

I am continually amazed at what minutiae Google finds and indexes.

We are still suffering from problems with our Zebra p330i card printer and I am having to watch my tongue that I don’t say too much about their incompetent tech support system. The problem was that it would not print properly when the take up reel for the ribbon was half filled, but it did work when it was almost empty. I am guessing that they only tried it with a new ribbon and therefore the problem did not arise. Now it won’t even print on a new ribbon, it won’t even pay attention to cards that need magstripes written.

I mention to my boss that after the printer came back they said that it was only our imagination that it wasn’t printing properly. He said I should call the rep we bought it through, but I cannot find his card. I searched on his name and found it in an email archived several years ago. I looked up the number and found it was still active then called and left a message on his voicemail. I did recognise that I had his assistant’s information on a couple invoices.

Sweet Dreams Security

Published on April 27, 2006 in Security. 0 Comments

Why does security have to be so cold and heartless?

Probably because it looks better that way.

Sweet Dreams Security is a company out to make security just a little cuter. With heart shaped chain links (would hate to have to untagle or carry a bunch of that), cute animal railings (which look more like the result of a demented juvenile impaling small animals), sharp glass landscapes to replace broken bottles (although they could quickly become broken glass landscapes too), and even security cameras with little cozies (insert your own comment here).

Maybe I’ll just issue red clown noses to my security hosts and leave it at that.

Remote Control Outlets

Published on April 24, 2006 in Security. 0 Comments

I mentioned in a previous post that I am looking for remote control outlets forthe security cameras.

I want something secure so that it takes more than just anyone buying a similar control at the store and then having control of turning off the cameras.

The electricity to the church building is kind of poor so we get some bad fluxuations and that requires unplugging and replugging cameras. This typically requires a ladder in order to get up to the camera.

I did a test run and found a problem. They seem to default to “Off” when there is a power loss. The power went out last night and the cameras I was testing it with all went out as well and did not turn back on when the power came back.

I’m going to have to pull out the controls and keep looking for one with a “normally on” setting.

Problems with our Zebra P330i Card Printer

Published on April 13, 2006 in Security and Techie. 0 Comments

We print our own ID cards in house using a Zebra P330i card printer. These encode the magnetic strips for the electrically restricted access doors (we have both magnet locks and electric strike plates).

It is great that we are able to produce professional level ID cards directly. A new employee (or ministry leader) comes into my office, smiles for the camera, I enter their information, and I hit print. about 30 seconds later I am either punching a hole for a clip or lanyard, placing a magnetic plate to the back instead of the old style stick pin, or placing it in a special badge holder that makes it easier for staff to wear the badge and still use it.

Unfortunately the printer has had some problems. I’ll demonstrate on Yoda.

Continue reading ‘Problems with our Zebra P330i Card Printer’

Be like the NSA with SecurityWizardry.com

Published on April 7, 2006 in Security and Techie. 0 Comments

George W. Bush (POTUS) took a visit to the National Security Agency (NSA) a while back and spoke with the director for a photo-op. As usual, the background behind the president was used as part of the the visual story. The background is a really cool tech movie style control panel thingie.

That thingie is actually the Talisker Computer Network Defense Operational Picture.

I am still looking around the Talisker Portal but it has links to many great security tools. It is almost overwhelming and easier to say “Just look at it yourself” so that is what I am going to do since it is easier.

Network searching, password finding, data packet testing, computer rescueing, and more.

A Security Plan I Cannot Recommend

Published on March 30, 2006 in Misc Othr Stuf and Security. 0 Comments

New Security Volunteer Plan
(Beginning Saturday, April 1, 2006)

Sometimes we forget about the many people who are interested in being involved with the ministries of the church as volunteers simply because they love to serve. We get accustomed to thinking that people will only be involved if we hire them on as staff.

While most other areas of the church ministry involve many volunteers I have taken note of the lack of official volunteer positions in the security work of the church. Over the past year it has been common for people to just step in and help out. They have informed the security staff of open doors, suspicious visitors, and other potential security issues. This has always happened in an informal manner, but beginning this Saturday, April 1, we will begin plans to formalize the Security Volunteer Ministry.

The Security Volunteers will serve as sort of Plain Clothes Detail in that they will not be issued uniforms. This will enable them to easily mix into the activities and gather intelligence on potential security issues. The security team leaders will be issued 2-way radios, baseball bats, and heavy duty tape (to hog-tie the suspect) in the case of a Security Event.

This model has already been put into practice in a limited manner and with some success at the Church of the Nazarene in West Palm Beach, FL.

In case you are wondering, you have reached the punch line (no pun intended) of this joke. The opportunity of this news item coming so close to April 1 was too good to pass up. I am sure this plan would have received at least a few volunteers, especially from the high school youth.

(This email was sent to the church staff just before April Fool’s Day. So far, only good responses have come back.)

Nooo! ebuyer.com shuts down US service

Published on March 30, 2006 in Security and Techie. 0 Comments

A few days ago I cried out because the DCS-900w was discontinued. I decided to go ahead and order a different model from our regular supplier yesterday and while checking to see its status I found that as of today they are no longer selling inside the United States.

They have had great shipping. Even with the lowest level ground shipping we would often get our orders the next morning if we ordered by noon. They have regularly been $20 to $30 dollars cheaper than their closest competitors (some competitors were off by $100 – $300), and the shipping price was very low.
Our DCS-950g is with FedEx right now, but this means I will need a new supplier for future cameras and equipment.

DCS-900w Discontinued!!!!

Published on March 27, 2006 in Security. 0 Comments

I logged onto http://ebuyer.com this morning to purchase a stack of DCS-900w cameras only to find out that they are out of stock as of this morning. I contacted support and found that they don’t believe they will be getting any more in. 2 out of their 3 suppliers are no longer carrying it.

I did some searches around and it appears that it has been discontinued. I have been having difficulty finding trustworthy looking suppliers, and I am not willing to go to ebay.

I guess this means it is time to either look at the DCS-G900 which shares the body style and has the same mounting features or go to the DCS-950g which has different mounting, but offers audio. The audio option probably means that it does not provide a Java method for viewing video through the web. I most likely means it uses ActiveX which I dislike using.

I believe we will order a DCS-950g to try it out. If we don’t like it then we will grab on to the g900’s.