Forgot your password?

Comment: Re:Blame them, not Heartbleed (Score 1) 77

by TMYates (#47712347) Attached to: Heartbleed To Blame For Community Health Systems Breach
Saying that an exploit couldn't have been used in the first place is just nonsense. It would be better to say that with the adequate security and audit policies in place, they should have been alerted as soon as someone started trying to test for a heartbleed vulnerability. Action should have been taken as soon as they saw traffic repeatedly running a heartbleed exploit to prevent the disclosure of the information. Nothing can cover 100% and in this case, they were likely waiting on a vendor to patch their system. At the time the passwords were scraped, Juniper may have still been working on a patch (assuming the information that it was a week after announcing heartbleed). This should have been where the IT admins ordered the 72oz cups of coffee and stared at the screen for days on end.

Comment: Re:Open Source Integrated email/calendar/phones/et (Score 1) 565

by TMYates (#47703493) Attached to: Munich Reverses Course, May Ditch Linux For Microsoft
As far as I know there is not a single solution to cover everything mentioned in open source. That being said, although Microsoft offers integrated solutions, they are still separate products. Your named features span Lync and Exchange. For the open source side, I would point you to Asterisk and OpenFire to handle the Lync side and you could probably use Open-Xchange to handle email/calendar (though I am unfamiliar with Open-Xchange). Integration between the products would still be limited though. One of the best distributions I have played with is called Elastix and combines almost all the features you are looking for. Not sure about the calendar aspect though.

Comment: Re:Open Source Integrated email/calendar/phones/et (Score 1) 565

by TMYates (#47703395) Attached to: Munich Reverses Course, May Ditch Linux For Microsoft
There are a couple ways to set it up, but one method is with Exchange integration. In our setup, there is a folder in Outlook called Conversation History. All chat logs and call history end up in there. Lync will also show you some of the information from the Lync client, but older history can be searched there. You can also set up archiving to go to a central database. You can also continue past conversations from within Lync should you wish to.

Comment: Re:Not that hard IMO (Score 1) 151

by TMYates (#47601441) Attached to: Satya Nadella At Six Months: Grading Microsoft's New CEO
I still use Windows Media Center on all my machines running Windows 8.1 Pro. Though they may not be actively developing it anymore, I would hardly call it abandoned when they still support, update, and ship it. Though in reality, the main reason they are not actively developing makes sense in some ways. With Hulu, Netflix and other video providers now making standalone apps for Windows 8, there was not a need to continue development. There is a video app, music app, and pictures app that split the functionality out of Media Center. Everyone seems to hate Windows 8.X, but for my computers hooked up to the TV, it seems to work out well navigating from afar. The Media Center remote control also works for navigating the start screen (to a point). The only thing I wish Microsoft would do is split out the TV app from media center and put it with the other apps like Xbox Music, Video, etc... That is the only reason I still use Media Center.

Zune was an awesome product (still have a Zune HD), but just late to the game. Apple was already trying their best to phase out older style iPods in favor of the iPod Touch. Everyone was wanting either the iPhone or the iPod touch and killing the sales for the other iPods. Microsoft tried to follow a route of moving the Zune app to their Windows Phone platform, but they failed to have Wi-Fi only version like Apple. Once they did that, Zune started to fade out in favor of the Xbox title.

Comment: Interesting Thought (Score 1) 171

by TMYates (#47567831) Attached to: Quiet Cooling With a Copper Foam Heatsink
If I understand it correctly, it works similar to materials NASA uses on the space shuttle. By increasing the surface area of the heat sink, you get a better cooling effect. I believe NASA uses a foam made of 95% air or so for the tiles that are on the outside of the space shuttle. These in turn seem to allow heat in but can remain cool to the touch at very high temperatures internally. Somewhere I saw a video of someone holding a block made of this NASA material. In this case, having a "foam" made out of copper allows it to cool very quickly. I bet it would still work better to have some sort of fan blowing and constantly moving air across the foam.

Disclaimer: I do not claim to be an expert in the physics or technology behind this, but it seems logical to me.

Comment: Re:Vendors.... who needs them... (Score 1) 348

It depends on whether you are running tagged or untagged VLANs. You are correct for trunk ports that carry tagged VLANs, but the catch there is that you have to have a tap or sit on a trunk port that can see the same tags. Both of these cases require physical access to monitor or make changes (or remoting into a switch). If physical access is a problem, you have bigger issues on hand. VLANs are not end all security, but to completely push them aside is ludicrous. Properly done, VLANs are a great augmentation to security, but I would not rely on them as the only means.

I mainly use VLANs with layer 3 routing so I can have firewall rules at the switch level between the VLANs which I put on separate IP networks. I avoid using the same network across multiple VLANs.

Comment: Re:Big Problems (Score 1) 92

by TMYates (#47567193) Attached to: New SSL Server Rules Go Into Effect Nov. 1
I generally haven't as well, but depending on your environment, automatically generated certificate requests may attempt to contain an internal domain. Hence why the default setup would no longer work once this rule takes effect. For instance, an environment that uses a domain.local that you cannot change because you have Exchange (Thanks Microsoft!). It is completely possible to have an internal interface and external and split the roles and certificates (this is what I do). Our internal interface has an internal CA cert and the external a public cert. The problem comes where all the service packs and cumulative updates I have applied required me to remove one of the virtual directories for things like OWA and ECP or the update would fail. The funny part is, they allow PowerShell to create those multiple directories, but the PowerShell scripts they put in the update expect only one directory. Fortunately its easy to export the config of one of the directories and recreate it later.

Comment: Vendors.... who needs them... (Score 1) 348

I have seen this so called "requirement" on occasion and think the company that requires it needs to go though a security audit of their own. I also think that anyone that requires Domain Admin/Root access for their software to run doesn't know a thing about security (I get this commonly too). The problem you may face will be through regulatory compliance for various things (as some here mentioned PCI already) There are other regulations you should probably try to discover if you are required to comply with especially if you will be hosting PII (Personally Identifiable Information). Not just talking HIPAA, but some e-commerce sites require a little more security for their data.

That being said, as long as there is a firewall to the internet and your server does not have critical internal only ports open, in most cases you would at least pass basic security requirements, albeit not optimally. Make sure you run a test using something like NMap! As for alternative ideas, you could set rules in the local firewall to allow unrestricted traffic between the servers involved while limiting access from all others to the default rules. You could also set up IPsec tunnels between machines to encrypt that traffic. I would at least make sure you have a path to separate as many features that require higher security as possible. For instance, PCI will require more strict rules and if that is a problem for this vendor, budget a separate server for transaction processing.

Some of those options may help find some middle ground between your requirements and theirs (after all, you are not limiting traffic of interest to them). I would push to have a Business Associates agreement signed by them saying that by not following your configuration requirements, they will hold some or all of the responsibility for a breach involving their solution. It would still hurt you in the case of a breach, but at least it puts them on edge to make sure they do everything they can to secure their solution since they now have a financial consequence for a breach.

Last but not least, make sure you put the POS system in it's own VLAN separate from all other systems. Lock down that network to only POS traffic and put no other device unrelated to the POS system on that network. This is part of the reason for recent breaches from some of the major retailers.

Comment: Big Problems (Score 1) 92

by TMYates (#47533555) Attached to: New SSL Server Rules Go Into Effect Nov. 1
This may cause big problems for many of the existing systems out there. How do they determine internal names? Does it require a .com? Will it take into account any new top level domains that opened up? What about certificates for various systems that do not require domain names for communication (I.E. ADFS Signing/Encryption Certificates).

I think it should be required to not mix internal and external names in certificates, but to ban them completely is going to break many things. I know by default Exchange 2010/2013 and Lync Server require internal names in the certificate. You can split the bound IPs and use 2 different certificates, but it makes things more difficult to configure and manage. No to mention that Exchange patches really hate multiple virtual directory entries...

Comment: Re:Antivirus (Score 1) 122

by TMYates (#47503295) Attached to: Critroni Crypto Ransomware Seen Using Tor for Command and Control
Antivirus applications would never be an end all solution in any case. There might be a chance they can catch it, but you have to be up to date on the definitions for most to be able to catch it. Some newer systems may be able to do heuristics and catch potential cases that look malicious, but can have false-positives and false-negatives. Even cases where you have the best of everything and are up to date may not completely eliminate risk. This is where Zero-Day exploits (or unpublished exploits) can find their way in and disable or bypass many of these countermeasures.

Firewalls would not be helpful for anything other than blocking known ports to command and control servers. In this case, using Tor would be an advantage for the ransomware as it would block any legitimate use you may have for Tor browsing (not that I would allow it for business use in most cases). You are most likely thinking of something like an IDS/IPS system that can sit on the network and sniff out malicious traffic. Some allow for Deep Packet Inspection with SSL decryption. Even that may not cover all cases. If they use custom protocols or a different method for encrypting traffic, it would most likely render such setup useless after an infection. It may help in the initial detection however.

In the end you can never be 100% covered for anything. I always live by the notion that it is not a matter of IF but WHEN something is going to happen. The best solutions are the simplest. Make sure you have recoverable backups (don't just set them and forget). It also helps to reduce your footprint and exposure as much as possible.

Comment: Government Control (Score 1) 76

Just have to put this out there, but now that the government has taken control, how much do you want to bet the NSA will use this opportunity to spy? Even if they do not use Zeus long term, they could use it to install their own software on millions of PCs that are already infected.

Comment: Re: Fishy (Score 1) 566

by TMYates (#47120143) Attached to: TrueCrypt Website Says To Switch To BitLocker
I may need to look into this for home use again. The USB key was the reason I stopped using it at home since it was nearly impossible to find a consumer level device without a TPM and I got tired of the USB requirement for 7. Of course it has been a few years since I bought a laptop.

I have used both TrueCrypt and BitLocker and like them both, but to be completely honest, BitLocker is the better option for a business with several computers because of the recoverability. I hated having to know our employee's TrueCrypt passwords so I could work on their systems.

Also, I may be one of the few who actually likes Windows 8-8.1.1 (*gasp*) so this would not be an issue for me.

Comment: Re: Fishy (Score 1) 566

by TMYates (#47115085) Attached to: TrueCrypt Website Says To Switch To BitLocker
Correct. But there is a downside. In order to use BitLocker without one, you will require using a USB drive for unlocking the system. A big security risk with using that method in a company environment would be how many simply leave the key in the computer. That would be like leaving the key to your house in the keyhole on the outside of your house. If you have to go that route, you can also add a password with the USB drive to unlock.

Source: Experience

Successful and fortunate crime is called virtue. - Seneca