Blog: Security and Compliance

A review of more than 200,000 4-digit PINs used on mobile phones revealed the following as the most common (in order):

  1. 1234 (used by more than 4% of the sample group)<
  2. 0000
  3. 2580 (straight down the middle of the keypad)<
  4. 1111
  5. 5555
  6. 5683 (spells LOVE)
  7. 0852 (straight up the middle of the keypad)
  8. 2222
  9. 1212
  10. 1998

The 10 most frequently used PINs represent more than 14% of the total sampled.  Thus, with this distribution of PINs, you have a 1 in 7 chance of guessing the correct one in 10 tries. [more]

Years are always popular when coming up with a 4-digit PIN (see number 10 above).  So, birth year, graduation year, etc. would also be a good guess if these are known

Regardless, it's a very good idea to recommend people NOT use these particular PINs (at least the first 9 plus predictable years).


 

Recently, I needed to log into the console of our PGP Universal Server to verify the version level of Apache installed. Unfortunately, the Universal Server is (intentionally) locked down since all the tools required to manage the server are built into the web console. When the server is initially installed, you do not have access to log in via SSH or through the console because of the locked nature of the kernel. (Sidenote: there are supported ways to set up SSH access through the use of private keys). Fortunately, since the server is based in Linux, it’s trivial to “break in” and get access to the console. All that is required is physical access and some downtime. [more]

Step 1: Reboot the server

Step 2: When Grub loads, interrupt the auto-boot sequence and press ‘a’ to edit the kernel arguments before booting

Step 3: Add a space and the word “single” (lower case) to the line and press enter.

Step 4: Enjoy your root access.


 

As most know, when using PGP to encrypt a hard drive, you enter your password at the boot screen and it will log you into Windows. After redeploying a laptop for a new user, PGP would not pass the new username thru to Windows. It would stop at the Windows credential prompt with an previously used username. After a fair amount of troubleshooting and research, it was determined the problem was with the TPM chip.

PGP can be configured to use password only or TPM and password to authenticate users. PGP on this laptop had been configured to use TPM and password. The TPM chip had become locked out by the previous user. Which prevented new users from accessing the TPM chip. So you could add a new user to PGP but it never would add the user to the TPM configuration and there was no error stating this.  Since the old user’s password was not available, it required deactivating the TPM chip. Before deactivating TPM, the administrator account being used changed to password only in PGP. If this change wasn’t made to the administrator account first, it would have locked out of PGP. TPM was deactivated and the laptop rebooted. TPM was reactivated and the laptop rebooted. The new user account was added back to PGP and rebooted again. This time PGP passed the username through to Windows without any problems.


 

The other day I tried to take an old laptop from one of our auditors to use on an audit.  When the auditor got his new laptop he migrated his entire system partition to the new machine, then renamed the machine on the domain.  This had the effect of updating his domain machine account to the new machine, and essentially killing his old machine's ability to logon to the domain.  This might not be a huge deal, except the old machine was set up to use RSA. 

From my understanding, RSA kills access to local accounts.  So, without being able to login with local accounts or domain accounts (since the machine account was essentially removed), the old laptop was pretty useless.  To work around the authentication issue I had to have the previous owner login to the machine offline (i.e., with it unplugged from the network so cached credentials would be used).  I was then able to enroll one of my fingerprints under the auditor's account to allow me to use his old laptop offline for a few days before doing a full cleanup and rejoining the domain. 

So, the lesson to be learned is, if you are going to migrate an old system to a new system using the same old domain machine account, please go back after the process and cleanup the old machine (remove RSA, rejoin the domain, reinstall RSA) so it will be useful to the next person.


 

I have been issuing new laptops to users and everyone seems to be having the same problem with the Lenovo Fingerprint Reader and Windows logon.   After installing the finger print reader software, I noticed a link to an article for users that were trying to logon to a domain using their fingerprint.

To enable the Windows or domain biometric settings in Control Panel, do the following:

  1. Click Start > Control Panel > Hardware and Sound > Biometric Devices > Change biometric settings. The Change biometric settings window is displayed.
  2. Select Biometrics on.
  3. Select Allow users to log on to Windows using their fingerprints.
  4. Select Allow users to log on to a domain using their fingerprints if the check box is available.
  5. Click Save Changes to save your configuration.
  6. Log off from the Windows operating system.
  7. You will be able to use your fingerprints the next time you log in to the domain.

Here is a link to the Lenovo article: http://support.lenovo.com/en_US/research/hints-or-tips/detail.page?&DocID=HT051327


 

I had a recurring issue months ago with Acronis causing my laptop to shut down during some backups (an occasional backup would succeed).  The shut downs were not blue screen crashes but rather, an abrupt shut down, with no warning, as if the power button were pressed and held down.

In the past 10 months or so, I’ve received a new laptop, and rebuilt it (to move to Windows 7 Enterprise and BitLocker), so I don’t remember if uninstalling/reinstalling Acronis, installing a new build of Acronis or one of the other changes to my laptop made the issue go away…temporarily.  Unfortunately, the issue apparently returned a few weeks ago.  I recently discovered by scheduled backups to an external hard drive had not been working for a couple of weeks.

A coworker suggested I use Windows 7 native Backup and Restore and, so far, it appears to be working well.  While not offering the granular backup configuration options Acronis offers, it allows for system image backups in addition to standard backups which provide for easy restoration of individual folders and files.  That, and, it doesn’t shut down my laptop.  :D


 

Recently, I was tasked to work on separating 2 companies in Postini that were no longer under the same organization. In order to create the new account, I had to first delete the domain under the old Postini config which also required deleting all the users. I ran into a slight issue with this.

  • In order to delete the Org, you must delete all the domains under the Org.
  • In order to delete the domain, you must delete all the users under the Org.
  • You are not allowed to delete pdefault@example.com because the Org must have a default user.
  • You cannot create a new account for domain.com because the domain is in use under another Postini account.

The trick here is to assign a new default user for the org and then delete everything. Simply go to the Org General Settings and scroll down until you see Default User.

From here, you can change that to any user that already exists under your account. Even one under a different domain and Org. While this was a very simple solution, it was a little hard to realize what needed to be done because of the steps I went through to attempt to simply delete an Org from a Postini account.


 

My laptop data backups to an external hard drive quit working.  I am using Acronis Backup & Recovery 10 and a scheduled backup would always result in a “bad username and password” error.

I double checked my windows domain credentials, created backup accounts and checked those credentials, used the default local administrator and checked those credentials. None of them worked.

Here is the solution from Acronis support: [more]

When you edit the manual backup plan to schedule make sure that you select the backup Location and renter the Online location credential and then move on to scheduling it and save it to perform the backup.
Once you edit the existing backup plan you would have to re-enter the location where you want to backup or else it would not take in the previous user name and password.

So basically, you have to change the backup location in order to get it to recognize the plan credentials.  Glad they had the answer. Don’t know I would have every thought to re-enter the location, since it wasn’t changing.


 

We normally recommend a customer password protect the management interfaces of their networked printers.  In general, it seems a wise thing to not allow just anyone who is so inclined to changed printer configurations.

However, we have also shown it to be simple to redirect printer output if you change a printer's IP address.  We turned one printer off (Printer #1) and then changed the IP address of Printer #2 to be that of Printer #1.  A print job sent to Printer #1 now prints on Printer #2.

It's not a difficult thing to get the IP address of a printer especially if you have physical access to the printer. Thus, even if for only a while until someone determines an IP address change was the culprit, it would be possible for someone to intercept potentially sensitive documents if they had the ability to change printer IP addresses.

Using port security or sticky MAC addresses on switches would also help with this security issue by preventing anyone from attaching their own printer to the network when the management interfaces of you printers are password protected.


 

Running host-based anti-malware software is a very good idea, but sometimes things can slip through.  You can't trust an infected machine to tell you whether it's infected or not.  Microsoft has System Sweeper, which boots from another media and will scan a Windows machine.  There is one version for 32 bit Windows and one for 64 bit Windows.
 
https://connect.microsoft.com/systemsweeper
 
Kaspersky Labs has a Rescue Disk that will also scan a Windows machine offline.
 
https://support.kaspersky.com/faq/?qid=208282173
                                                           
If malware is discovered I would recommend rebuilding the system and restoring the data.  In my opinion, these tools should be used periodically to determine to some extent that a system is malware free.  Of course, it is a judgment call, depending on what is found.