Dad needs a new computer?!

One of the banes of most IT Professionals is when family members ask for help with purchasing a computer, or worse yet, they just purchased something from a big-box retailer and need help.

This is a multi-part story inspired by my dad who called me recently for a computer question he had. It made me realize that 13 years ago I helped him purchase the computer he currently has. I couldn’t believe it’s been that long! I’m thankful that after he received the catalog for home computers from Dell that he immediately came to me to ask for advice…

Now I’ll get back around to what computer I help him select because I want this to sink in for just a moment…

My dad has a desktop computer,

that was purchased 13 years ago,

that he is still using…

And as for performance, it is working just as good today as it did when it was first purchased… Almost unbelievable! Oh, and he has no plans on replacing it either!

Okay, now as the commercials for miracle weight loss say, “results are not typical”… but they are not wholly unexpected. Let’s talk about this a bit.

My first advice to anyone purchasing a computer for home use, is to skip the big box stores, and even anything seemingly consumer grade. Everything in this real seems to be designed with a short lifespan in mind. Cheaper parts, poorer construction, etc. Not to mention all of the consumer bloatware that seems to come on them. So the first thing I tell everyone and everyone is to immediately go to a major computer sellers “enterprise” tab on their page, be it Dell or HP or whomever. Normally anybody can still just order these, and the benefits are more solid construction, longer MTBF and usually far less bloatware preinstalled. In this case, 13 years ago I had my dad purchased a Dell Optiplex Workstation.

Now if you simply did that, it shouldn’t be surprising to get 6+ years out of the hardware, to get over 10 years is to really be getting your money’s worth. Now truth be told, he did have to replace the power supply once but that was likely caused due to a recent series of lightning storms in his area that the little power-strip surge protector couldn’t really protect against.

But okay, let’s talk about performance… There are really two prongs to why this thing performs so well…

First, he uses his computer for just word processing — and printing — nothing else. Nothing online and he wanted his computer to be as secure as possible from such threats… So, that makes things really easy… Realize that if the computer is an island, there is no external connectivity – no internet, no USB drives, etc. Then it really is an island. What are the threat vectors in this case? None really. So, do you need patch management? Not of the system is working? Most ‘bugs’ patched these days are more about vulnerabilities, not functionally. And honestly, after 13 years, if there are any functionality quirks, he doesn’t seem them as such, but just work through or around them. It really is surprising to see how stopping patching significantly improves system performance and reliability!

For the record, I’m a huge proponent of patch management – but that is because in virtually all cases you have threat vectors you need to account for. But let’s pause for just a moment, and think about that — are there places or situations where you can vastly improve security and performance by outright removing a threat vector such as the internet? It’s also worth mentioning that because of this lack of patching, the 2007 Daylight Saving Adjustment was never patched on his computer. But there are ways to manually patch this yourself on such systems.

But beyond that, let’s talk about the statement that it runs that the same performance level. That is a true statement, although perhaps a bit misleading. Do you remember having to wait for Windows XP to boot up? I sure do. Although if you think back, XP made a lot of waves because it did boot much faster than prior operating systems of the day. But that aside, Windows 10 boots almost instantly. But that is what end users expect these days, my iPhone is instant on… The concept of having to wait befuddles us nowadays. So by today’s comparison, the computer is slloooooowwwww. But that is just my modern comparisons. But it works just as fast as it always has… After all, the processor is still ticking away at the same speed, and the software hasn’t changed at all.

The biggest reason it isn’t a problem for him is that he has no point of comparison. He is retired, the computer works the way it always has. He hasn’t worked on more modern, faster computers.

It’s also probably a mindset — my parents have hundreds of VHS movies. Sure, they have DVD and the latest blue ray discs. Mostly, however, because it’s virtually impossible to not buy a blue ray player. So sure, they’ve got the latest and greatest, and the quality is better than VHS. Although who knows how well they actually see with their aging eyes. But why throw out thousands of dollars worth of working (inferior) VHS movies and buy again higher quality movies, which, at the end of the day, is the exact same movie, story, actors, lines, etc., And most of those movies really were filmed using inferior camera equipment of the day… So is there really a big difference between Gone with the Wind on blue ray since it was captures with 70 year old, non-digital camera technology?

In the end its a bit of a philosophical discussion. Perhaps.

But what’s the takeaway from this article, if any? I would propose a few points:

  • Purchasing: realize that the enterprise gear is often worth it even for personal use because while it can be marginally more expensive, it can last far longer. I think his tower cost sub $500.
  • Security: Consider how in every environment security and performance can be improved by mitigating threat vectors. Remember that patch management is one tool we have to address threats and isn’t a panacea into itself.
  • Performance: Performance is very relative, and subjective. Each use application is different – purchasing or upgrading in blanket terms is wasteful. Each user, department, or situation can often be different and unique. Address them as such.

 

 

 

 

 

 

Scotch Box – Dead simple Web Development

In this series, I’ll demonstrate some of the web development tools I use. Today we’ll cover Scotch Box — a virtual development environment for your local machine.

Many people begin development by working directly on live, production web servers. Sometimes they’ll work in a sub-directory or a different URL. However, there are several drawbacks to this approach.

  1. Performance: Every update of your files requires them to be sent over the internet, and equally your tests also need to come back over the internet. While each of these is probably only an extra second of latency for each file, it can quickly add up over the lifetime of development.
  2. Security: Let’s face it, development code isn’t the most secure out of the gate. I recently was developing a custom framework and in the process of writing the code for the display of images, introduced a bug which would dump any file to the browser, even php code or environment variables.
  3. Debugging: Debugging tools such as Xdebug shouldn’t be installed on production servers as it can accidentally expose sensitive data.
  4. Connectivity: You must be connected to the internet to develop, so internet connection, no development.

So for most of my projects, I develop first on my laptop. But instead of installing a full LAMP stack on my desktop (where I’ve got a database and web server running full time in the background), I use a Virtual Machine through Oracles Free VirtualBox Hypervisor.  And instead of having one virtual machine host multiple projects, which might have different development needs (specific PHP versions, databases, etc), I spin up a new virtual instance for each project. This is made super easy through a tool called Vagrant. As they say:

Development Environments Made Easy

This post assumed you already have both Oracles VirtualBox and Vagrant installed on your local machine.

My favorite development stack is Scotch Box — perhaps this is because I love scotch, but more likely because it’s (in their own words): THE PERFECT AND DEAD SIMPLE LAMP/LEMP STACK FOR LOCAL DEVELOPMENT

It’s three simple command line entries and you get access to:

  • Ubuntu 16.04.2 LTS (Xenial Xerus) OS
  • Apache Web Server
  • PHP v7.0
  • Databases: MySql, PostgresSQL, MongoDB, SQLite
  • NoSQL/Cache: MemCashed, Redis
  • Local Email Testing: MailHog
  • Python v2.7
  • Node.js
  • Go
  • Ruby
  • Vim
  • Git
  • Beanstalkd
  • And much more.

Within PHP it includes tools like Composer, PHPUnit, WP-CLI. Also since this is designed for development PHP Errors are turned on by default. It works with most frameworks outside of the box, with the exception of Laravel which needs just a bit of tweaking. All major CMS are supposed like WordPress, Drupal and Joomla.

And if you want access to more updated versions, such as PHP 7.2 or Ubuntu 17.10.x, you can pay just $15 for their pro version which comes with so much more!

So how to do install it?

  • From the command line, go to your desired root directory, such as Documents
  • git clone https://github.com/scotchio/scotchbox myproject
  • cd myproject
  • vagrant up                    (learn how to install vagrant)

You can replace “my-project” with whatever you want to name this specific development project.

After you run “vagrant up” it will take several minutes to download the code from the internet. Then you’ll be all set. You can browse http://192.168.33.10/

For shell access SSH to 127.0.0.1:2222 with the username of vagrant, and password of vagrant.

You’re all set.

Configuring a basic Road Warrior OpenVPN Virtual Private Network Tunnel

If you’re a road warrior like me, you’re often accessing the internet from insecure hotspots. All traffic that traverses an open wireless connection is subject to inspection, but furthermore even on untrusted secured wirelesses, you’re activity is subject to monitoring by those providing the internet (trusted or otherwise), as well as ISP providers, etc.

To help keep what you’re doing private, I suggest always using a secure VPN tunnel for all your roaming activity. This guide will show you how to setup your own VPN tunnel using Linode for only $5 per month! That’s right, why pay a third party company money for your privacy which costs more, and you get unlimited usage for yourself and whoever else you decide to provide access for.

Now to be clear upfront, the purpose of this setup is to provide secure tunneling when you’re on the road with untrusted networks such as hotels or coffee shops. Some of the reasons people use VPNs is to provide general internet privacy, which this setup will NOT provide. It does, however, allow you to appear to be connecting to the internet from another geographical location. They have 8 datacenters, spanning the US, Europe, and Asia Pacific. So when you’re on the internet you can configure it so that it appears your connecting from a different location then you’re actually located.  There are other benefits available such as giving you an always fixed WAN IP address, so when you’re configuring security for your services, you can now lock down access to a specific remote IP. Think of only allowing remote connections to your server/services/etc from a single IP address. That provides much stronger security instead of just leaving remote access open.

 

Let’s get started with the configuration:

This post is going to assume you already have a basic Linode setup. Here is how to install the OpenVPN Server in a very simple way. That way, these instructions will work with any Ubuntu Linux Server. Leave comments if you’d like a full setup guide and I’ll throw it together for you.

  1. Remotely connect to your server (such as SSH)
  2. Login as root (or someone with sudo rights)
  3. Run the following from the command prompt:wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
  4. When prompted I suggest the following configuration:
    1. UDP (default)
    2. Port 1194 (default)
    3. DNS of 1.1.1.1 (see this link for more info)
    4. Enter a name for your first client name – this is unique for each client. So for example, I’ll call my first one Laptop
  5. The file is now available at /root/ under the filename equal to the client name you specified in step 4.4 — in our example /root/Laptop.ovpn
  6. Download that file to your local computer using the transfer method best for your system:
    1. Linux/MacOS use SCP
    2. Windows use Windows SCP
  7. You’ll want to download the OpenVPN client from https://openvpn.net/community-downloads/
  8. Install the Laptop.ovpn file you downloaded into OpenVPN client – for Windows, right click on the systray icon, choose import – from file. Choose the Laptop.ovpn file you copied from the server. After you choose the file it might take a minute or so, and you should see a notice that the file was imported successfully. Then check the systray icon again and you’ll now see the server WAN IP address listed. Then you simply click that IP address then connect, and you’re all set.
    1. The first time you initiate a connection you may be prompted to trust this unverified connection, this is because you’re using a self-signed certificate. For basic road warriors, this is sufficient. If you’re a corporate IT department, you might want to consider using your own certificate, either trusted or enterprise certs.

You can simply repeat steps 1-3 above, and at step 4 you’ll only be prompted for the client name. Do this for every device and/or user that needs to remotely access this server. For me, I use a separate key for my laptop, phone, and tablet. If they’ll be connected at the same time, you’ll need separate keys. You can also run through the same steps to revoke certificates – so you want to make sure you name them something logical, such as myAndroid, kidsiPhone, wifesLaptop, etc.

Enjoy!

 

 

 

 

 

W32/autorun.worm.aaeb-h Outbreak

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

Hashed Passwords

Something making a lot of news in the papers recently is compromised usernames and passwords. This has been seen from companies such as LinkedIn, Yahoo and DropBox. In some of these cases they are storing passwords unencrypted, so that once someone captures the data, they know you actual password. And since many people share passwords among accounts (using the same password for LinkedIn and Facebook) it opens your account to be compromised on multiple systems. This is made worse when more sensitive logins, for back accounts or your work e-mail is the same password you used on Facebook.

One common technology used by web developers and programmers in general is to NOT store your actual password but rather to use a hashed version of your password. Hashing is a form of one-way encryption where once has been hashed it cannot be reversed out (hence the one way part). It also is specifically designed so that there is no two inputs which can create the same output. In fact, even a single character difference usually results in radically different outputs. So this often used so that nobody, not even the database needs to know your real password. All that they do is when you enter your password at login, it will run the password through the same hashing algorithm and then make sure the output matches what is stored in the database for your password.

To make this more secure, many web developers will also add “salt” to the hashing process. That is, they add some extra information to your input before it is hashed. Then benefit of this is that as long as the salt is kept secret, it makes it significantly more difficult for your actual password to be discovered.

What brings this to mind was something I recently encountered today. I forgot the password for a specific online portal that I rarely use, and since I never document passwords, it is really all left up to my memory to recall. Typically when you go to a website and click “forgot password” they will e-mail you a new password or a link to create a new password. However in this case, they e-mailed me my password. What this illustrates to me is that they don’t actually hash their passwords, and don’t likely encrypt them either. With this, I can know, for certain, that it is possible for someone at that company (or someone with malicious intent) can access my passwords. This is very concerning.

In the day that we live in, it is very important that we ask our vendors to be using more secure methods for storing our passwords. If they can tell us what our passwords are, this is concerning.

Also, since we cannot always force a vendor to do something, please remember to be vigilant in how you handle passwords. Avoid using the same passwords online, and ensure that you are changing them periodically. If one of the services you use (such as LinkedIn) has a data breach, be sure to change all passwords for places which you used that password at.

Enjoy!

Finding unused user accounts in active directory

Periodically it is a good idea to audit/review your user accounts in Active Directory to find unused accounts. This helps find terminated employees you might not know about, or role accounts which aren’t being used anymore. Sometimes you’ll discover temporary accounts which were setup for testing and have been abandoned.

It is very easy to query active directory for this, simply open a command line on your domain controller and enter:
dsquery user -inactive

You’re all set.

The tools I use…

Here are some of my favorite applications I have installed on my computer, and often install right away, in no particular order:

  1. Microsoft Office Professional Plus – This is the obvious must have software for anyone interacting with other businesses. I really enjoy the seamless operation between products and how it makes interacting with the business world so much easier. I have tried Open Office, and it is a faster, less bloated office productivity suite and significantly less expensive. However, it is still only 90% real-world compatible with Microsoft Office, and thus can be a real pain. This is especially true when it comes to situations where page formatting is critical. When you factor that in, in many cases, the time I would spend working around the compatibility issues, Microsoft Office is actually less-expensive — something I think people need to consider a bit more often when looking at free tools… But alas, this list is filled with free tools!
  2. Microsoft Acrobat Professional – Yes, I have used (and continue to use) a number of low cost PDF creation tools such as pdf995 – which I really enjoy – and often recommend for users looking for simple print-to-pdf features; but I really appreciate all of the features which come in the full fledged product such as the ability to optimize scanned documents, perform OCR to make a scanned document searchable, and the ability to create interactive forms.
  3. Notepad++ is probably the best text editor I have used in a long time. It is a great improvement over the built in Notepad. The color coding when viewing code such as HTML, PHP or Java is very helpful, and there are additional plug-ins available.
  4. CuteHTML is a no longer a developed application but I have used it for so long I am simply used it’s interface and appreciate the built-in FTP application. I use it frequently to edit HTML and PHP code. I know there are better applications out there, but this is simply used out of familiarity and habit.
  5. CuteFTP is my preferred paid for FTP application for ages, but I have honestly stopped installing it on new systems and simply use Filezilla which features match close enough to meet 99% of my needs. This program permits multiple FTP downloads from mutliple FTP server at the same time and supports FTP, sFTP and FTPS. It is mature and actively developed.
  6. Virtual Drive Clone – my favorite application for mounting ISO images as optical media.
  7. Microsoft One Note – while technically part of the Microsoft Office Suite above, I call this one out for two tools that a lot of people don’t know about. First is that there is a screen clipping tool built into it. There are a lot of screen clipping tools available, both free and paid for, but this one is already built into a Microsoft Office application, so there is no extra software to download, install, patch or even take up system resources. A simple press of windows-S enables you to clip any part of the visible windows. I use this frequently for creating documentation or power point presentations. The second part is that it is slowly replacing my trusty physical paper notepad. And using One Note 2010 with Microsoft Skydrive, it keeps my laptop, desktop and work computers all sync’ed. Love it!
  8. Drop Box – along the lines of syncing data, I am starting to use Drop Box for non sensitive data. They can help keep your data synced between multiple devices including mobile devices. Due to a recent security flaw, there was the potential for your data to be accessed by other users. As with any technology like this, I discourage the use for anything sensitive.
  9. Keepass safe – A password manager which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk.
  10. VLC – A highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, …) as well as DVDs, VCDs, and various streaming protocols.
  11. Log me in – Each of my systems has this installed, and I really appreciate that even after you logon to the website, to access your system, it still requires you to enter whatever password you use on your computer to access it.
  12. Trillian – While I rarely use instant messenger anymore, Trillian is a fantasic,  fully featured, stand-alone, skinnable chat client that supports AIM, ICQ, MSN, Yahoo Messenger, and IRC – all in one application and interface.
  13. CCleaner – A system optimization and privacy tool that removes unused files from your system and allowing Windows to run faster and freeing up valuable hard disk space.
  14. Google Picasa – A free software that helps you locate and organize all the photos on your computer, edit and add effects to your photos with a few simple clicks and share your photos with others through email, prints and on the web.
  15. Remote Desktop Manager – If you are freqently connecting to remote resources such as via RDP or VNC, this is the tool for you. It offers built-in support for Microsoft Remote Desktop, Terminal Services, VNC, LogMeIn, Team Viewer, Ftp, SSH, Telnet, Dameware, X Window, VMware, Virtual PC, PC Anywhere, Hyper-V, Citrix, Radmin, Microsoft Remote Assistance, Oracle Virtual Box and more.
  16. PuTTY – is probably the most common, versatile multi-protocol client application which is our longtime favorite choice for all our SSH needs. To many PC power-users an SSH client is absolutely vital to their everyday operations, and PuTTY’s the most popular windows client for a reason.

Any user can unlock now with this custom GINA

From the folks over at Paralint, there is now a utility to help you with shared computered access. Often you will have a shared computer in an office space, and the problem is that you want each user to have their own username and password, however, that doesn’t always workout so well. Once you add a password locked screen saver, and that user forgets to logoff, that computer is now unusable to any other normal user.

What are your options…. Typically we have be forced into one of the following options:
1) Users know eachothers passwords;
2) Reduce the security by removing the password requirement or granting other users administrator permissions;
3) Users simply power off/on the machine to work around the issue;
4) Or they can use the windows based “winexit.scr” which will effectively forcefully logoff the user when the screen saver kicks on.

However, now with this custom GINA, you can now enable any user to logoff that offending user without requiring administrative permissions or changing your security routine. Aucun is a replacement GINA that wraps Microsoft’s own MSGINA.DLL to allow any given group of users to unlock or force logoff a locked session on a Windows machine, unless the currently loggon on user is a member of a group you specify.

I created this for a friend that needed an unlock feature. By popular demand, I added force logoff and warning display. Here is a more detailed feature list:

 

  • GUI provided by original MSGINA.DLL (no training of end user required)
  • Allows any member of a given group to force logoff a locked session
  • Allows any member of a given group to unlock a locked session
  • Support a exclusion group (to prevent unlocking administrators by regular users)
  • Allows to display a custom message when the workstation is locked
  • Supports 64 bits versions of Windows
  • Supports international versions of Windows
  • Allows chaining multiple Gina’s together

You can learn more about this and download here: http://www.paralint.com/projects/aucun/

HIPAA Compliance & Faxing

The primary objective of HIPAA is that health organizations have the infrastructure and procedures – administrative, technical and physical – that allow them to safeguard patient health information from any kind of exposure or disclosure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals.

HIPAA does not prohibit the use of fax machines to communicate PHI; however the information is subject to strict regulations that protect the privacy and security of the information both at the point of dispatch, during transit and at the point of delivery.

The security provisions of HIPAA require “reasonable” efforts to make sure that the information delivery via fax has been sent securely and was received securely and by the person intended.

HIPAA makes a number of demands to ensure that patient health information is properly protected. These, in relation to security and privacy, include:

•All fax machines are to be placed in a secure area and are not generally accessible.
•Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
•Destination numbers are verified before transmission
•Recipients are notified that they have been sent a fax.
•Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
•Any patient data should be in the fax body and not in any of the data fields.
•Faxes are to be sent to secure destinations; i.e., the fax machine of the recipient must be in a secure location, accessible only by those authorized to receive the information.
•Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
•Confirm fax delivery by phoning the recipient.
•Received faxes are to be stored in a secure location.
•Maintain transmission and transaction log summaries.

Powered by WordPress.com.

Up ↑