Archive for the ‘security’ Category

Vetting pantomime

Thursday, 24th March, 2016

Hopefully you have heard the phrase coined by Bruce Schneier ‘security theatre’ to refer to a lot of the recent changes in travel security etc. The basic inference is that it looks like security but isn’t really.

I know this because I have had all sorts of things confiscated while trying to board a plane, but have never been arrested. Too much of a threat to take my plastic clamp on the plane but not enough for a life sentence at gitmo. At least I can take comfort knowing that none of the other passengers has a small plastic clamp with which to take over the plane (or the world).

I am now living through a vetting pantomime. I have been offered a (short term) contract at a UK bank, and now ‘just need to go through the security vetting process’.

I need a disclosure Scotland, can’t get one on line as I don’t have a uk address. One suggestion was that I use someone I knows’ address in the uk as my current residence. Hmm – false information?

They want a 5 year work history, which I have provided, but now they want the gaps explaining. Well derrr I’m a contractor, sometimes there are gaps…

No, they want me to send them bank statements for all the gaps! What the fuck for??? They haven’t specified which account so I guess I shouldn’t use the one with all those NSA/KGB payments for leaking vital information? Or at least I should ensure those payments do not fall in a month when I am not in a contract.

Someone suggested it is to see if I have ‘been away’, ie looking for lack of transactions whilst held at her Royal Britannic Majesty’s pleasure. Its a joint account – there are transaction all the time (me putting money in, wife taking it out :-))

What are they going to do with my bank information? How can it help their vetting? it can’t. its stupid. If they came to me with a list of all my accounts then maybe, but thats SC level stuff not mickey mouse 10 week contract stuff.

Why are banks wanting to recruit people that think its ok to spaff personal confidential information all over the interwebs??

That’s right they want me to email them my bank statements, no mention of a sFTP secure upload facility, no details on the usage of the information, the storage, or the expiry/deletion. they just want people who don’t give a shit about information security, incredible.

Leaving aside of course the irony that between me and this bank, only one of us has ever been found guilty of any fraud or criminality. and I don’t (mis) sell PPI or fix Libor rates.

I’m know I am too old and battle scarred for this shit but really…

You’re the bad guy, oh no I’m not you’re the bad guy, oh no I’m not etc etc. He’s behind you…

Aaaanyway if you need a grumpy old fart with just enough knowledge about security to be cantankerous then let me know. It looks like I may be having a gap opened up in my agenda for me…

secure security

Wednesday, 6th February, 2013

Got this recently:

disable

Surprise surprise I chose… Disable!

If you are running 2010 and have VBA in password to open protected .xlsms then they should probably be in a trusted location if you want the VBA to run. (I didn’t try very hard but there didn’t seem to be an easy way to trust the doc, maybe temporarily taking the pw off it, trusting it, then redo pw, would work).

Unless you have AV that can scan them (which products do?).

cheers

Simon

Evil spreaddie fingered in RSA hack

Monday, 4th April, 2011

Dunno if you have been following the recent SecurID hack at RSA?

They fessed up then went quiet for a few weeks so a few people assumed the worst.

(If you dont know what SecurID is, is a little token (about 10mm by 30) that generates a new 6 digit number every minute. That number can be synched to a login server to ensure only people with the right physical token can login in.)

Anyway the latest news is that an Excel workbook was infected with a targeted, malicious flash swf containing a zero day.

It does appear to be a very clever attack, the spreadsheet had such an interesting name that one of the targets pulled it from the junk folder and opened it running the flash. I didn’t see anywhere whether the workbook had any VBA in or not.

One important point though is that it was a Flash vulnerability they exploited, Excel was merely the delivery mechanism. No Excel vuln was used, just its ability to act as a container.

I didn’t see how they were discovered either, but it sounds like the attackers pretty much got most of what they were after.

I wonder how many other orgs have been hit by this sort of attack, and either haven’t discovered it yet or haven’t admitted it in public?

Got any good links?

cheers

Simon

Well done Microsoft

Wednesday, 23rd March, 2011

I just wanted to congratulate MS (& partners) on their efforts to bring down the Rustock spam machine.

I must check my on line spam bin to see if it has reduced by 30% in the last few days. Either way, botnet take downs can’t be a bad thing.

Have you noticed a drop in spam recently?

cheers

Simon

 

 

Office 2003 Info Rights fixed

Monday, 14th December, 2009

A couple of weeks ago I mentioned an issue I had seen in the newsgroups of folks being locked out of their Information Rights Management protected workbooks.

Opinions seemed to be mixed between ‘never heard of it’ and ‘would never used it’. But a few people did and they got burned in November when it all stopped working and they were locked out of their own files.

Anyway the issue is now apparently resolved by renewing an Office crypto certificate, full info and download available here. If you apply this fix please let us now if it does indeed resolve the problem, or not.

cheers

Simon

Wot, No Spreadsheets? – very OT

Thursday, 10th December, 2009

I’m gutted that spreadsheets don’t seem to have been implicated in the Climate Research Unit excitement. why read_me_harry.txt instead of read_me_harry.xls?

Spreadsheets are ok for amateur mistakes, but pros use Fortran?

I’m also a little disappointed that the Government Broadcasting Company (BBC) doesn’t seem to be applying its normally fairly balanced reporting to this area.

I’ve had to switch to the Telegraph (FFS) to get some balance. And maybe even the Express!!

Over the last few months I have become more and more sceptical about the motivations and justifications for some of the stuff done ‘to save our planet’. Over the last few weeks I have become more and more sceptical about mans influence on the climate. Over the last few days I have become very sceptical that the research is fit for its current purpose.

As it happens I bought a new USB portable drive last week – 320Gb for 60 quid – I am amazed the CRU couldn’t find a similar amount to prevent the ‘loss’ of their ‘critical to the survival of mankind’ data, out of their alleged budget of 20 million.

What is your take on whether our activities are causing, or about to cause catastrophic changes to our planets climate? And what should we do about it?

Seems to me if the intention was to genuinely cut CO2 rather than fund their mates in ‘green’ industries and carbon trading the govt would be pushing for:

  • Those that can to work a min of 2 days a week from home
  • encourage local sourcing of everything where possible
  • encourage the extending of the lifetime of any and all equip
  • reforesting where ever possible
  • Local community based power generation

As it is it just looks like they are trying to move us away from oil without actually explaining why. And keep their coffers full of course.

For info here is a climate change is our fault website

Here is a climate change is normal website

Here is a WSJ article highlighting the broader concerns raised by the recent fun.

So a couple of guidelines then feel free to add you view below.

This is a fairly heated topic so I’ll moderate comments pretty tightly. The discussion is about the validity of the claim that human activity is the cause of changing climate. Comments in that area are welcome.

Personal attacks, nonsensical arguments and deceptive statements are not, I’ll delete these and publish the reason for your information.

Please keep your comments short and on topic and as polite as possible.

Irrelevant stuff like references to your own or others ‘green’ credentials etc will also go in the big round file.

Don’t feel compelled to comment, I’ll keep comments open for a day orso then close them to ease the moderation. After that if you want to comment just email me and I’ll add it.

Have fun… (and play nice)

cheers

Simon

Next Monday: D Day for SOX gravy train

Saturday, 5th December, 2009

It seems some legal beagles in the US are taking the organisation behind Sarbanes Oxley to court on the basis that the way it is set up is unconstitutional.

Whilst mainstream IT think about that from a security industry POV there is the infant spreadsheet management industry to consider too.

SOX, and section 404 in particular have been used to encourage organisations to take some responsibility for their crappy spreadsheets. Ideally they would de-crappify them, but in my experience companies prefer just to list them and claim they are now ‘managing them’.

It will be interesting to see what, if any, impact this legal challenge has, I think the current mood is for more legislation and control (Certainly in the UK!). But maybe those that claim SarBox has damaged US business competitiveness will hold sway.

I have seen a few remediation/migration type roles on Jobserve recently so maybe orgs are taking this seriously now. There are a lot of ingrained habits to change though.

Are you getting much SOX/Remediation business?

cheers

Simon

Information Rights Management in Excel

Tuesday, 24th November, 2009

I was poking around the newsgroups last night when I came across a thread about IRM failing in Excel.

A few people seem to be suffering the same problem – within the last two weeks something changed and now their credentials are not accepted by Excel and they are locked out of their files.(here is the link)

My first thought was the Nov security hotfix for 2007 and 2003, but actually the thread is developing more along the lines that something changed at Hotmail (the credential authority).

I have never used IRM

  • a. because I don’t put my Excel machine on the internet
  • b. because fear of being locked out of my own files far outweighs the comfort of knowing other people who might get hold of it will be locked out.

Do you use IRM?

Do you have a fix for the issue these folks are seeing?

cheers

Simon

Should we care about the Clients Environment?

Friday, 20th November, 2009

Dennis made an interesting comment on a previous thread about how as developers we should be making use of multiple virtual machine technology to mimic our clients’ environments so we can better support them.

Its a good point… but I completely disagree.

Some developers should do that for sure, what Microsoft calls ‘professional’ developers perhaps. I prefer to think of Excel/VBA developers as business developers, we are a bit closer to the business and a bit further away from the bits and bytes of hardcore coding.

We express our business knowledge in Excel and VBA for a variety of reasons. One vital one for me though is ease of deployment and hence support.

If I write a decent spreadsheet in Excel 2000, I can reasonably expect it to work perfectly in Excel 2000, 2002, and 2003. I can expect it to work at least partially in 2007. That is irrespective of the wider target environment, user rights, security credentials, previous installed components, corporate build oddities etc etc. There is no dll hell in Excel*.

If the client has Excel they can run my application. full stop, end of.

(Of course there is a little excitement about macro security, the way they messed up expired signatures, the fact no one uses them because they are such a blatant scam etc)

*(ok so we sometimes get cannot find project or library, but if we keep things close to Excel/VBA and develop with care, and with some consideration for the clients environment that doesn’t happen much, and can usually be easily fixed.)

This trivial deployment leaves us business developers free to invest our time in understanding the business better and improving our software development skills. Deployment skills? system admin/security skills? heard of them, don’t want them or need them.

This is one of the biggest reasons I have not focused on .net – its a deployment nightmare. Of course that’s solvable, just invest a bunch of time and effort learning sys admin stuff and security stuff, and a bit of virtual machine trickery and jobs a good’un. But I don’t want to do that, I want to improve my business knowledge and my coding skillz. Luckily Microsoft cater for folks like me with Excel VBA.

Don’t get me wrong .net works well for corporate developers (once they have the required sys admin knowledge) but for independent devs like me, there is way too much pain to trawl through to distribute and support custom built .net components.

So I care a little bit about my clients environment, but not much. And frankly I think the fact that developers have to spend time and effort creating such close replicas of a clients environment is a hugh fail for Windows software development and for Microsoft. ‘Write once deploy everywhere’ – in yer dreams!

Major service packs? fair enough.  When you need to remotely replicate their level of hotfixes across a broad swathe of operating system components and applications the process is seriously broken IMO.

When I did asp development I had to get intimate with IIS to be able to work out when things went wrong whether it was our code or the server environment. If my Excel apps goes wrong, it’s my code, no investigation required (roughly).

I don’t have anything against .net, there is much about it I like, I just don’t think its aimed at pragmatic delivery focused independent desktop developers (like me). (Hence for the observant, the pic is from .net 1.1 from 2003). I jump at any chances I get to develop in C#, the joy of a modern language and a modern IDE, but this tends to be when I am contracted on-site in the role of corporate dev, rather than independent software developer.

What about you? do you find distributing your .net apps a true joy, the real highlight of your dev cycle?

Are you juggling more than 10 virtual machines, and keeping the patching in step with clients?

Which do you prefer development or deployment?

Do you agree with the separate roles of corp dev and business dev?

Cheers

Simon

New Excel zero day exploit

Thursday, 26th February, 2009

Be careful what you are opening!

Seems there is a new vuln being actively exploited – across all recent versions of Excel, including the viewers.

cheers

Simon