Point by point: #2: Many of the attacks use Zero-day exploits that are not public knowledge. #4: See #2 #5: If you have more than 1400 servers there will be some that are vulnerable and when that happens they get one door they need. Hopefully it is just some departmental webserver so the scope is small but they almost certainly now have at least the first foothold they need to grab some accounts and move from there if they don't have a Zero-day exploit they can use. #5 (2nd #5?): What they get is the SAM database which is hashed using NTLM so it is vulnerable to rainbow table attacks.
So for it to work you just need: 1) An exploit not publicly known that allows remote code execution or elevation of privilege. There is at least 2-3 of these a month 2) Compromise a departmental webserver/app server and start working backwards.... Eventually you will get more and more accounts until you get something interesting. At the worst you have mapped a typical server and know your attack surface. Maybe they run Tivoli? So scan specific hosts for Tivoli vulnerabilities but do it slow so it isn't seen by IDS. If they run Symantec AV use the exploit that is out right now to get on a privileged system...
So obviously it isn't as hard as it first seemed and it isn't a matter of incompetence with large companies there are simply too many possible ways in. Your best defense is a layered one with a lot of monitoring of your logs and IDS sensors to watch for things that look unusual. Baseline your traffic so if you see a large upload over https to a server in a weird location you can flag it! It might be your SAM database going out the door...
tl:dr: In a large company there are a lot of ways to get in, if you think you are safe you are lying to yourself.
The categories that are blocked should come from the "Business" side and not from IT except maybe sites that cause operational impact. What we do is assign owners for the block categories and act as the liaison to them when someone wants something unblocked. For example: Pornography - Human Resources Social Networking - Human Resources Guns and Violence - Corporate Security
etc...
In our case IT only owns the sites flagged as malware and excessive bandwidth.
So when someone sends in an email asking for access to Facebook we ask them to complete a form, we then take this form to HR for review. The reason we take it and don't tell them to take it to HR is to allow the block owner to make the decision outside of the scope of politics and without the anger many employees sling. You have NO IDEA how angry people get when something they want to get to is blocked even if the block is completely reasonable.
IT is there to enable the business to operate so they need to tell us what they want to give people access to.
Let me answer your points directly as someone who has been doing some POC's of thin clients in a large (40k+ environment)
1. it simply switches the cost of the workstation maintenance to the back office as you need an immensely powerful data centre to drive thousands/tens of thousands of these terminals; True except it is always cheaper to manage and maintain those systems than desktops. We know per unit how much each desktop costs us to manage and maintain and we also know the same information for our big-iron boxes and Citrix farm and it came out that if we could serve 20 users per server it was a large cost savings and it helped with support. We even got savings at 10 per
2. you still need a service desk as most requests we get are for new employee accounts and handling typical release incident; You need this now anyway in a large enterprise environment and you now need less deskside people and remote support is easier.
3. people want to stay competitive and having a one size fits all typically prohibits one-offs, even if there is an obvious advantage; Not if you do VDI which means you deliver a full desktop to the users
4. problems affecting a cluster will affect everyone so you still need backup PCs for critical service delivery. No you just have a multiple deployments and redundancy. In most large corporations most apps are client server (Regardless of if that is a fat client or web client) so there is experience in making systems redundant.
Does it work for every user? No but it does for most, the challenges are: 1) The initial cost of deployment 2) User and business acceptance
If you can solve those issues you will experience year to year cost reductions.
In general I love it, especially since in IT we tend to easily work 9 hour days. A few drawbacks that in my mind are minor compared to the benefits:
1) Some people will abuse the system and will still put in 8 hour days and take the off-friday off. If you are a good Manager or have a good team this won't be any more of an issue than any other issue. 2) You will find that you will often not get the Off-Friday completely off, in general I work 2-3 hours every off Friday. 3) 9 hour days can be a bit tougher until you get used to them 4) If it is just your group that does this it will fail miserably, either the entire company does it or none at all. 5) As a manager you need to arrange coverage. On a smaller team many people will fail to get a complete off Friday if they are on-call etc.. You can do alternating Off-Fridays but you will find that it is tough since many people will expect everyone to be there on an "On" Friday. 6) If you outsource parts of your infrastructure they may have issues with your lack of availability on off-fridays and the outsourcer may use that to extend tasks due to it. Or they may get more done since you aren't there to hassle them;-) 7) A lot more work is crammed into the first 4 days of a week. At times Monday through Thursday can seem hellish.
I have had this schedule over two employers for a total of 5 years and I would HATE to go back to a normal 5 day workweek. The Off-Friday helps keep me sane and allows me to get things done that I can never do on weekends due to family and weekdays due to work!
The sentence above that also says: ""This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software."
So the important issue was fixed and now they are discussing how to improve security overall, it sounds to me like they handled it perfectly.
Err crap, I shouldn't have copied and pasted my post isn't entirely clear in this context;)
This worm exploits a problem in PHPBB 2.0.10 that is fixed in 2.0.11.
The other issue is a PHP problem that can be solved via the work around I posted above or using PHP 4.3.10.
As I posted above, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10
Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password.
A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10
I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.
Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!
I removed sugary drinks and candy from my diet two years ago and I am working on Caffiene. So far I have had moderate success by limiting my intake. For example I now only drink Caffiene at lunch and then only one glass of Diet Coke. In a few weeks I will trim it down to Once every two days etc.
Exactly, I really think that this will help drive prices down and bring service up.
I have been outside my contract with sprint for over a year and I have refused to change my plan just to avoid getting into a new contract. Now I have the freedom to say to sprint (Or any other provider) "I am sorry but I feel that I am getting better value elsewhere". I was never rude, I simply told them the exact deal I am being offered elsewhere and asked if it was possible for them to match or beat it and they did.
If I was willing to agree to a new contract I would have gotten a $99 credit for a new phone but to keep my options open I did not sign up for a new contract.
"To my surprise I found the every NRA site was blocked and was in the category 'weapons.'"
The program can be configured to block the categories, if you select "weapons" is it any suprise that the NRA's website is blocked?! I am not against the NRA, but it does fit the filtered category!
I also want to point out that if this is the same list used by their SEF firewalls then Symantec does not maintain that list themselves so you should not be attacking Symantec until they have had a chance to resolve the issue with their vendor.
If the title wasn't enough to indicate to you that we have some old equipment, just recently the money got approved to remove an old Lantastic network! I have worked for this company for over 2 years and didn't even realize it was there until it came up as needing to be replaced! It operates in some graphics printing area.
I think my boss told me we have a 9600baud analog point-to-point circuit for some app up until 6 years ago...
Half of our network is still on Token-ring...
Mmmm lets see what else.... One of our CAD areas is still running 8 386 16mhz PC's with a DOS application and some massive 21 inch monitors.
There is much more and much worse but that is all I can remember right now;)
The article implies that they are somehow blocking access nationwide. Are they doing this for people in their homes with private access or does this just apply to children attending an internet cafe?
This looks like it was just an ad/demo of their code testing software.
I am trying to get the main analysis downloaded now, but they must have been prepared for a slashdot posting;)
Re:What's the best solution for non-tech home user
on
Are You Using 802.1X?
·
· Score: 1
Take a look at the Zyair product line from Zyxel. They have built in radius servers and can be found for under 100 dollars.
Re:We just finished rolling out EAP-TLS on a Win2k
on
Are You Using 802.1X?
·
· Score: 1
Our remote access policy requires the cert and will deny any connections without it. Win2k's IAS does not seem to support PEAP, while Win2k3's does. I will never use EAP-MD5, would YOU trut your companies critical info to MS-CHAP?!;)
We just finished rolling out EAP-TLS on a Win2k...
on
Are You Using 802.1X?
·
· Score: 4, Informative
Outside of the Access-points we used all pre-existing equipment. We already had a Enterprise Root Cert Authority setup on our Root Win2k DC. We then created a cert for wireless access. We deployed the cert by using policies and used IAS to authenticate the users against a remote access policy that verified users group memberships.
For Hardware we used Cisco 1100's and Zyair B1000's (Http://www.zyxel.com). The B1000's have a beta firmware to support EAP-TLS and cost less than $100 bucks!
We only allow Win2k and Windows XP clients to use wireless, setting up the few win98 clients we have is too much of a pain!
With Windows XP Service Pack1 the user will get a prompt that says there is a wireless network available. Included in that is a check box to use 802.1x authentication and since the default is Certificates all the user does is click connect and they are on!
If you have clients other than windows clients you can still use the win2k cert server, just have then download the cert via the web manager. IT will be http://certservername/certsrv. Works great.
Slashdot Mirror
Point by point:
#2: Many of the attacks use Zero-day exploits that are not public knowledge.
#4: See #2
#5: If you have more than 1400 servers there will be some that are vulnerable and when that happens they get one door they need. Hopefully it is just some departmental webserver so the scope is small but they almost certainly now have at least the first foothold they need to grab some accounts and move from there if they don't have a Zero-day exploit they can use.
#5 (2nd #5?): What they get is the SAM database which is hashed using NTLM so it is vulnerable to rainbow table attacks.
So for it to work you just need:
1) An exploit not publicly known that allows remote code execution or elevation of privilege. There is at least 2-3 of these a month
2) Compromise a departmental webserver/app server and start working backwards.... Eventually you will get more and more accounts until you get something interesting. At the worst you have mapped a typical server and know your attack surface. Maybe they run Tivoli? So scan specific hosts for Tivoli vulnerabilities but do it slow so it isn't seen by IDS. If they run Symantec AV use the exploit that is out right now to get on a privileged system...
So obviously it isn't as hard as it first seemed and it isn't a matter of incompetence with large companies there are simply too many possible ways in. Your best defense is a layered one with a lot of monitoring of your logs and IDS sensors to watch for things that look unusual. Baseline your traffic so if you see a large upload over https to a server in a weird location you can flag it! It might be your SAM database going out the door...
tl:dr: In a large company there are a lot of ways to get in, if you think you are safe you are lying to yourself.
The categories that are blocked should come from the "Business" side and not from IT except maybe sites that cause operational impact. What we do is assign owners for the block categories and act as the liaison to them when someone wants something unblocked. For example:
Pornography - Human Resources
Social Networking - Human Resources
Guns and Violence - Corporate Security
etc...
In our case IT only owns the sites flagged as malware and excessive bandwidth.
So when someone sends in an email asking for access to Facebook we ask them to complete a form, we then take this form to HR for review. The reason we take it and don't tell them to take it to HR is to allow the block owner to make the decision outside of the scope of politics and without the anger many employees sling. You have NO IDEA how angry people get when something they want to get to is blocked even if the block is completely reasonable.
IT is there to enable the business to operate so they need to tell us what they want to give people access to.
Let me answer your points directly as someone who has been doing some POC's of thin clients in a large (40k+ environment)
1. it simply switches the cost of the workstation maintenance to the back office as you need an immensely powerful data centre to drive thousands/tens of thousands of these terminals;
True except it is always cheaper to manage and maintain those systems than desktops. We know per unit how much each desktop costs us to manage and maintain and we also know the same information for our big-iron boxes and Citrix farm and it came out that if we could serve 20 users per server it was a large cost savings and it helped with support. We even got savings at 10 per
2. you still need a service desk as most requests we get are for new employee accounts and handling typical release incident;
You need this now anyway in a large enterprise environment and you now need less deskside people and remote support is easier.
3. people want to stay competitive and having a one size fits all typically prohibits one-offs, even if there is an obvious advantage;
Not if you do VDI which means you deliver a full desktop to the users
4. problems affecting a cluster will affect everyone so you still need backup PCs for critical service delivery.
No you just have a multiple deployments and redundancy. In most large corporations most apps are client server (Regardless of if that is a fat client or web client) so there is experience in making systems redundant.
Does it work for every user? No but it does for most, the challenges are:
1) The initial cost of deployment
2) User and business acceptance
If you can solve those issues you will experience year to year cost reductions.
In general I love it, especially since in IT we tend to easily work 9 hour days. A few drawbacks that in my mind are minor compared to the benefits:
1) Some people will abuse the system and will still put in 8 hour days and take the off-friday off. If you are a good Manager or have a good team this won't be any more of an issue than any other issue. ;-)
2) You will find that you will often not get the Off-Friday completely off, in general I work 2-3 hours every off Friday.
3) 9 hour days can be a bit tougher until you get used to them
4) If it is just your group that does this it will fail miserably, either the entire company does it or none at all.
5) As a manager you need to arrange coverage. On a smaller team many people will fail to get a complete off Friday if they are on-call etc.. You can do alternating Off-Fridays but you will find that it is tough since many people will expect everyone to be there on an "On" Friday.
6) If you outsource parts of your infrastructure they may have issues with your lack of availability on off-fridays and the outsourcer may use that to extend tasks due to it. Or they may get more done since you aren't there to hassle them
7) A lot more work is crammed into the first 4 days of a week. At times Monday through Thursday can seem hellish.
I have had this schedule over two employers for a total of 5 years and I would HATE to go back to a normal 5 day workweek. The Off-Friday helps keep me sane and allows me to get things done that I can never do on weekends due to family and weekdays due to work!
The sentence above that also says:
""This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software."
So the important issue was fixed and now they are discussing how to improve security overall, it sounds to me like they handled it perfectly.
No worries, we'll just blame the Slashdot editors ;)
Err crap, I shouldn't have copied and pasted my post isn't entirely clear in this context ;)
This worm exploits a problem in PHPBB 2.0.10 that is fixed in 2.0.11.
The other issue is a PHP problem that can be solved via the work around I posted above or using PHP 4.3.10.
As I posted above, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10
Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10
My Citicard offers a virtual credit card number, I think other cards offer similar services, that might be a good way to protect yourself.
"Finally, Novell has agreed to withdraw its intervention in the European Commission's case with Microsoft."
I love Firefox but I have to use IE for a few sites, maybe this will force these last few sites to step up and get their sites working with other browsers.
Nothing annoy's me more than to get a message that my browser is not supported when I visit a page!
I removed sugary drinks and candy from my diet two years ago and I am working on Caffiene. So far I have had moderate success by limiting my intake. For example I now only drink Caffiene at lunch and then only one glass of Diet Coke. In a few weeks I will trim it down to Once every two days etc.
It seems to be working for me so far...
Why should we trust their voting systems without auditing?
Exactly, I really think that this will help drive prices down and bring service up.
I have been outside my contract with sprint for over a year and I have refused to change my plan just to avoid getting into a new contract. Now I have the freedom to say to sprint (Or any other provider) "I am sorry but I feel that I am getting better value elsewhere". I was never rude, I simply told them the exact deal I am being offered elsewhere and asked if it was possible for them to match or beat it and they did.
If I was willing to agree to a new contract I would have gotten a $99 credit for a new phone but to keep my options open I did not sign up for a new contract.
With my current carrier, I called them and told them I was thinking about switching and they chopped $15 off my bill if I would stay.
It can't hurt to ask!
What about those people who have no interest in downloading music legally or otherwise? Why do they have to have this cost come out of their tuition?
I say leave it up to each individual student.
"To my surprise I found the every NRA site was blocked and was in the category 'weapons.'"
The program can be configured to block the categories, if you select "weapons" is it any suprise that the NRA's website is blocked?! I am not against the NRA, but it does fit the filtered category!
I also want to point out that if this is the same list used by their SEF firewalls then Symantec does not maintain that list themselves so you should not be attacking Symantec until they have had a chance to resolve the issue with their vendor.
If the title wasn't enough to indicate to you that we have some old equipment, just recently the money got approved to remove an old Lantastic network! I have worked for this company for over 2 years and didn't even realize it was there until it came up as needing to be replaced! It operates in some graphics printing area.
;)
I think my boss told me we have a 9600baud analog point-to-point circuit for some app up until 6 years ago...
Half of our network is still on Token-ring...
Mmmm lets see what else.... One of our CAD areas is still running 8 386 16mhz PC's with a DOS application and some massive 21 inch monitors.
There is much more and much worse but that is all I can remember right now
When I get into work tomorrow I will do two things:
1) Setup an internal web server and redirect all traffic to 64.94.110.11 to this box that says something, you have misstyped something...
2) I will enable reverse lookups and anything coming from 64.94.110.11 will be considered spam.
Won't affect my users and might help a LITTLE bit with spam.
The article implies that they are somehow blocking access nationwide. Are they doing this for people in their homes with private access or does this just apply to children attending an internet cafe?
This looks like it was just an ad/demo of their code testing software.
;)
I am trying to get the main analysis downloaded now, but they must have been prepared for a slashdot posting
Take a look at the Zyair product line from Zyxel. They have built in radius servers and can be found for under 100 dollars.
Our remote access policy requires the cert and will deny any connections without it. Win2k's IAS does not seem to support PEAP, while Win2k3's does. I will never use EAP-MD5, would YOU trut your companies critical info to MS-CHAP?! ;)
Outside of the Access-points we used all pre-existing equipment. We already had a Enterprise Root Cert Authority setup on our Root Win2k DC. We then created a cert for wireless access. We deployed the cert by using policies and used IAS to authenticate the users against a remote access policy that verified users group memberships.
For Hardware we used Cisco 1100's and Zyair B1000's (Http://www.zyxel.com). The B1000's have a beta firmware to support EAP-TLS and cost less than $100 bucks!
We only allow Win2k and Windows XP clients to use wireless, setting up the few win98 clients we have is too much of a pain!
With Windows XP Service Pack1 the user will get a prompt that says there is a wireless network available. Included in that is a check box to use 802.1x authentication and since the default is Certificates all the user does is click connect and they are on!
If you have clients other than windows clients you can still use the win2k cert server, just have then download the cert via the web manager. IT will be http://certservername/certsrv. Works great.