Is obsolete the new secure?

Posted by Josh on June 17, 2014 in Security |

I recently read an article in Defense Systems Magazine that toyed with the idea of using what most would consider obsolete technology as a “security” measure.   In this case they were specifically talking about the use of 8-inch (yes, you read that right) floppy disks that hold about 1 to 1.2 megabytes of data.

8 inch floppy

8 Inch Floppy disk and drive


They make a convincing case for it as well.   How many hackers not only can write a malicious program à la Stuxnet with such a limited amount of storage let alone even have equipment to write it to a disk?

Along this same vein, there are advocates of using old “retired” Operating Systems as a means of security.   Really think about this point, how many hackers are going to develop and use exploits for Windows NT 4.0 or Windows 95?  What about long ago unsupported Solaris OS’s?    The cost to benefit ratio or, in business terms, return on investment (ROI) is almost nil since so few viable target systems.

Now, looking at things from a realistic perspective, companies by and large are not going to rely on aging, and unsupported technologies for normal day-to-day business.  Given that reality, continual updates to the latest and greatest version of whatever platform they are using.

Yet hiding in that dark corner somewhere they might just have that old system running some specialized system that they just “forgot” or simply are “afraid” to touch.  This is often true in the Industry Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.  These are those systems that run everything from the robot that built your car, the computer that controls a Computer Numerical Control (CNC) machine that makes parts or even the units that control the water and electrical systems for your utility companies.   Companies really tend to hate updating these systems, regardless of how old they are because not only the cost involved but they tend to control critical pieces of the companies process or infrastructure.

There are really several big drawback of using obsolescence as a means of security.  The first is that if there is a known vulnerability, there is no way to actually fix it.  It is out there and can be exploited at any time.  The second is attrition of technical experts with skills in that outdated software.   Right now, you can find plenty of IT folks with current skill-sets on Windows XP if you’re still using it after the XPocalypse a few months ago.  Taking that a few years back in time, try finding someone who is still in the industry with a still current working knowledge of Windows NT 3.51 that was release nearly 20 years ago and stopped being supported more than a decade ago.  The final issue is an issue of physical products.  We are talking the hardware bits that these obsolete systems run on.  Finding compatible systems for these old programs to run on becomes hard and more expensive as time go one.  This also includes the physical media for repair and reinstall if it’s required.  How well does that 8-inch floppy going to hold up over time?

While obsolete, might very well work as method to secure systems, in the long run, the deck is stacked against it as a viable long-term solution to an ever persistent problem.

Tags: , , , , , ,



Posted by Josh on May 21, 2014 in Security |


Tags: , ,


The Death of Windows XP… XPocalypse

Posted by Josh on May 1, 2014 in Security |

On the 8th of April 2014, Microsoft effectively “pulled the plug” on its decade plus old operating system Windows XP.  What this translates to for end users is fairly simple.  Their Windows XP computer won’t stop running, but any future security issues that are identified with the Operating System will not be fix via a patch from Microsoft.

Why does this matter?  As recently as February of 2014 by NetMarketShare shows that Windows XP still accounts for a fourth or a third of the computer systems running worldwide.   That means up to a one-third of the world’s computers are no longer receiving security patches!

Outside of the home user that just does web surfing and typing word documents, there are thousands of businesses that still run XP as part of their end-user environment and network infrastructure.   Infrastructure being the keyword, we are talking about things like ATM’s, medical devices/equipment, standalone Kiosk systems, digital security systems for buildings and Industrial Control Systems.

That last one might have you stumped a bit, don’t worry.  Many in the IT field don’t have a good understanding of what they are or how it affects the IT industry.  Industrial Control Systems include systems like SCADA (supervisory control and data acquisition), distributed control systems (DCS), and programmable logic controllers (PLC).  These are the systems that control your utilities, amusement rides and run many industrial processing plants.  Historically these systems have what would be considered very poor patch compliance since they are often deemed “Critical Systems” and might get patch as infrequently as once a year if at all.

Up until now, a malicious hacker had to get in to the system first to know if it was patch or not to see what exploits they could run.  Now, since end of life for Windows XP, it becomes the wild wild west for these critical systems.   When a vulnerability is discovered, you now know that every system running Windows XP is not only vulnerable, but will ALWAYS be vulnerable.

You might be thinking, how likely is an attack against an Industrial Control System?  They are more likely than you would guess!   The most famous attack against these types of systems was the infamous “Stuxnet” attack against the Iranian Nuclear Centrifuges, ruining one fifth of their assets.  In 2013 a researcher at TrendMicro use a “honeypot” simulation of an Industrial Control System for a water pump facility in rural Missouri.   This phantom system was attacked 17 times over a 4 month period of time.  12 of those attacks were deemed “serious” with attack sources from China, Laos, Russia and Palestine.

This is a major issue.  So much so that recently the United Kingdom paid $9.1 billion dollars (US currency) to extend the support of Windows XP until July of 2015.  The Netherlands government also purchased an extend support contract for its upwards of 4000 civil service employees still using Windows XP.   Recent reports have indicated that even US Government Agencies have shelled out millions for extended support, most notably the Internal Revenue Service.

Even with extended support agreements, at $200 a system per year, there is only so long that it is financially responsible to extend the support, especially when computers can be purchased new with the latest Operating System for under $400.  It will take and aggressive Operating System migration/computer replacement plan to root out all those hidden systems before the risk will be mitigated.

Tags: , , , , , , ,


Continuing Education and the IT Workforce

Posted by Josh on April 11, 2014 in Certification |

Recently at my place of employment there has been much to do about “Continuing Education” with regards to professional IT workers and specifically when it comes to certifications.  Many of the grumblings I often hear are thing of the nature:


– I don’t know why I need do this; I know how to do my job!


– I passed the exam, why do I have to do more “stuff”?


– This is just a racket of the certification company.


The list could go on, but I think you all get the gist of the overarching thoughts I have heard.  While I can understand their frustration with having to find time to not only do the continuing education, but document it properly with your employer and certification company.


Let’s look at why Continuing Education is important:


1.  IT is always changing.  What you learned even as recently as a year ago can be completely out of date and superseded today.


2. Standards.  Continuing Education is required by American National Standards Institute and International Organization for Standardization.  Why do these organizations require it? Simple, it ensures that certified professionals keep up with the latest changes in field.


3. Would you really want someone who was certified in 1995 and has no evidence of actually being current with the technology being used now?   Continuing Education is how this is accomplished.  This process is used is a myriad of fields outside of IT.   Notable examples of careers with Continuing Education requirements are Medical Professionals, Teachers, Legal, Engineers, and Architects.


4. Continuing Education sets you a part from your peers!  It can introduce you to new technologies that will make doing your job as an IT Professional easier, faster, or better.


5. It helps the business bottom line.  While you might be away from the work center to get the training, your bringing back skills that can assist in reducing the cost of running your IT center or find new software or procedures that make your business process more efficient and cost effective.


6.  Even the most rigorous certification’s requirement for Continuing Education still only works out to be just under 4 hours a month with most being about 1 hour.  Most certifications run in a three year cycle for recertification with Continuing Education with requirements of anywhere from 20 to 120 credits/units of Continuing Education in that time frame.  While 50-120 may seem daunting, when broken down in to monthly quotas, it is not only “doable” but completely realistic.


7.  Certifications with Continuing Education requirements mean higher salaries!  Yes, they do have annual maintenance fees that can go up to $100 a year per certification, but the certifications are often gateways to higher salaries.   Data shows that having a current certification can raise your pay by $5,000.  Higher level certifications like CISSP can increase your salary as much as 10-15%!


Here is a sampling of some common certifications that was published by Global Knowledge and TechRepublic in 2010.


CCNA – Cisco Certified Network Associate … $79,695

MCP – MS Certified Professional … $74,438

MCSE – MS Certified Systems Engineer … $86,454

MCSA – MS Certified System Administrator … $76,337

CompTIA – Network+ … $70,902

CompTIA – A+ … $68,631

CompTIA – Security+ … $76,844

CISSP – Cert Info Sys Security Professional … $99,928

CCNP – Cisco Certified Network Professional … $89,864

VMware Certified Professional … $91,271

MCITP – MS Certified IT Professional … $82,044

CCDA – Cisco Certified Design Associate … $93,953

MCDST – MS Certified Desktop Support Technician … $70,197


8. It is a condition of employment.  While many IT Professionals may have opted to keep their “For Life” certification, it is becoming more and more common for employers to require certifications that have Continuing Educations requirements.   Whether it is to meet their own compliance standards or because they find value in having someone that is constantly abreast of the latest IT trends.

While Continuing Education can be painful if not properly managed, the benefits far exceed the detractors when weighted objectively against each other.



Posted by Josh on December 11, 2012 in Security |

The first DEFCON 318 group meeting will be December 12th at 6:00PM @ Noble Savage in downtown Shreveport.  Come check it out.

Tags: , ,


Online Privacy: Is it real?

Posted by Josh on November 20, 2012 in Security |


Online Privacy, to a large degree is a myth that we tell ourselves exists to ease our minds about the various things we do and place in to the ether of the beast called the Internet.

The largest problem with the Internet and the concept of privacy is how the Internet works. As an individual, you have little to no control over the various routers and switches your data will transverse as it makes it way from your computer, tablet or smart phone to the destination. Join that issue with the way things like email handle “headers” and that “anonymous” email account is not as anonymous as you would think.

Take for example the recent resignation of the Director of the Central Intelligence Agency. He appeared to have been covering his tracks with the deft hand of a true CIA “Spook”. The two individuals involved used a single anonymous email account, never actually sending the messages, but leaving them in the “draft” folder for the other to read when they logged in. With no emails between them to trace it does not leave much for a would be thief to work with. In this case, one of the individuals sending an email from that account brought down the house of cards. A threatening email sent from the joint account and subsequently reported to the authorities. From that email and the IP addresses in the headers, they were able to track the account back a group of email accounts that also used the same IP address and different IP address that have also accessed that anonymous email account. From that point it was fairly easy to determine the real people behind that account.

Keep and mind, one of the people involved was the Director of the CIA. This was the man in charge of one of the largest spy organizations in the world with top-notch encryption at his fingertips, and he was ousted by a single email. If the Director of the CIA can have his personal email hacked, what do you think your odds of not being able to be hacked are?

This leads back to the new adage of “don’t put anything on the internet that you wouldn’t want your Grandmother to see,” for once something is out in the ether, there is no way to take it back.

This even extends to digital photographs as well. Many of the modern digital cameras and smart phones embed “metadata” within the digital images that will tell things like the make and model of the camera and GPS locations. This makes it pretty easy for someone to take that “anonymous” adult photo without a face to track it back down to your house.

Can you have privacy on the Internet? That really depends on what you mean by “privacy.” Absolute, 100%, unbreakable privacy is likely to never happen unless you have a computer that you never turn on, never connect to anything, and have it locked in an armored room that only you have access to and you destroyed the only key, etc, etc. Can you have a reasonable assurance of data not getting in wrong hands by using the appropriate levels of encryption, strong passwords or better yet passphrases, not using public WiFi and most of all, not putting anything out on the Internet that you would not want someone else to see. The key in all things security is defense in-depth and not being the low hanging fruit for a hacker to seize on to and exploit.

Tags: , , , ,


Social Media and Security

Posted by Josh on November 8, 2012 in Security |

When people think of social media and security, they often focus on the security of the particular social media site they are using.  Whether it is Facebook, Twitter, FourSquare, or any of the vast number of social media sites, the site itself is not your only concern.  You might be your biggest security threat!
You may have a shocked look on your face right now with the questions of “What? Me? How!?!” running through your mind.  I understand your confusion, you go through all the sites, lock down the security settings per the directions posted on the various websites that talk about security what am I doing wrong?  The answer is really simple…you are likely an “over sharer” with your personal information.
How do you over share?  Posts about when you are leaving for vacation, “checking in” at the gym or a restaurant, “tagging” your friend that are with you at the bar, etc, etc.  These kinds of  posting activities on  social media sites, not only tell others where you are, they also tell them where you ARE NOT!  You are not  at home and oh by the way Bob, Sue, and Sally are not at home either.  Over time, your daily routine can even be deducted from your posts, tags and check-ins. Think about all the events you chick “going” too that your friends can see when you will not be at home.  Often these events are planned weeks in advance giving someone plenty of time to plan a less than honest action against you.
While you lock down your Social Media to friends, do you REALLY know everyone on your friends list?  Maybe you have it locked down to “friends of a friend”, can you trust that all of those individuals are trustworthy with that information?   Remember, it might not even be you that is “over sharing”, it might be your friend tagging you in THEIR posts.
Does this mean to never post anything about where you are, what you are doing or whom you are with?  Of course not,  It is a warning to stop and think before you post.  Who will see this? Do they really need to know I am”at the Tiki Bar with Tom and Amanda “and will be” going to see the latest blockbuster moving at the 10:40 showing? ”   These kinds of post set individuals up not only for theft, but for social engineering attacks.
Social Engineering attack from my Facebook posts?   For those of us that are simply horrible with names and faces, someone could easily walk up to you and use facts about you that you have freely posted on your social media page.  “Hi, Steve, I am Bob Smith, we meet a few weeks ago at the Young Business Person event” (taken from your check-in there) and continues with various tidbits of information glean from your various posts.   While it might not work on everyone, it is a very real possibility.
Looking at the over sharing issue from another perspective, will the items I post and locations I check in at have a negative effect on my professional life?  Will a potential employer see that photo of me doing a beer bong and pass me over as a potential employee or promotion?   For those individuals with government security clearances, is there anything that I am posting or “liking” that may result in the removal of my clearance?
The bottom line here is to know your security settings, know who will be able to see what you post and stop and think about if you really want people to know this information, because once it is on the internet, there is no way to take it back.

Tags: , , , , , ,


Startup Weekend Shreveport-Bossier

Posted by Josh on October 2, 2012 in Uncategorized |


Have you ever considered starting your own business but didn’t really know where to start?  My friends over at the Shreveport-Bossier Cohab have the solution!  this month (Oct 26-28, 2012) they are hosting a 54 hour “Startup Weekend” event!  They will take you trough the process.

From their page:

“All Startup Weekend events follow the same basic model: anyone is welcome to pitch their startup idea and receive feedback from their peers. Teams organically form around the top ideas (as determined by popular vote) and then it’s a 54 hour frenzy of business model creation, coding, designing, and market validation. The weekends culminate with presentations in front of local entrepreneurial leaders with another opportunity for critical feedback.”


Sign Up: HERE



More Social Engineering

Posted by Josh on October 1, 2012 in AFCEA, Security |

Here is a great write-up of my August Continuing Education Lunch and Learn Program.   AFCEA Signal Magazine

Tags: , , , , , , , ,

Copyright © 2012-2021 All rights reserved.