Digital Choke Daynotes

Daynotes	a daily journal of our activity	Send us email
Digital Choke	an action that is sometimes needed for your computer; also a short techno-story available here.

Sunday, August 17, 2003

Another weekend bites the dust (almost). Friday was traveling day, returning from a PeopleSoft Security class in Pleasanton, CA (south of San Francisco). Pam and I went out to Mel's Drive-In again for dinner, then did a short trip to Target for a couple of things (like a small fan for the office). We got home and watched TV for a bit, falling asleep so missed the post for Friday.

Saturday, Pam went off to work, while I was stuck at home without a vehicle. (Jason's car is still in the shop, so he's got my truck.) So I did a bit of cleaning (bathroom, shower/tub/sink/mirror), vacuumed the upstairs, and a couple of loads of laundry. I also puttered a bit outside, giving all the plants some extra water, and hosing off part of the back patio.

We barbequed some nice steaks for dinner, then went over to Blockbuster to rent some movies. We started watching "Solitude" with George Clooney, but it was a bit boring, and the background music put us both to sleep.

So, today's Sunday. Pam and I did some final preparation for our class at church, and that went well. Pam made some cinnamon rolls (with raisins) for the class, so we were well-received by the young adults (college-age) in our class.

We're fixing a turkey for dinner with our family. Pam uses the 'turkey in the bag' method, which turns out a really tender and juicy turkey. Add some Stove-Top stuffing, green beans, and a fruit salad, and it will be quite a good dinner (and not a big production).

This next week at work will be busy. There's a couple of Sendmail servers to set up, along with a Win2K3 server to run the email filtering software. I want to take a look at our Intrusion Detection Logs a bit to see how well we did at blocking the Blaster worm (my compatriots at work tell me that we were well-protected from those outside attacks). But I am a bit concerned about the 'sideways' attack.

Here's how that works. The network is well protected from outside attacks. And computers on the inside are probably well-protected against viruses. But what of the person that works on his laptop at home, and isn't as well-protected. He gets hit with the Blaster worm (or any other virus/worm), then brings his laptop to work and hooks it up to the company network. Oops. Now your network is being attacked from the inside, and all those computers and servers are vulnerable. This, in fact, is what happened to many business networks. And I suspect that it will happen again.

So, as a network security dweeb, I need to make sure that I have 'protection in depth'. It's not enough just to protect against the outside threat, there is a significant threat from the inside. And that is among the things that are an important part of my job.

Monday, August 18, 2003

"There is nothing to see here." -- Zork I

Tuesday, August 19, 2003

A few notes about Sunday's post. Brian C, one of my two regular readers, keeps in touch by clicking the mailbox icon up there. He commented on what he calls the 'Sideways Blaster Infection Theory' (detailed in Sunday's post). And added in some additional comments on that other big story last Friday that pushed Blaster off of the front page:

[...] my affliction with Blaster happened in the reverse to your sideways infection scenario from yesterday. Although the initial infection to the company's network was probably due to the sideways infection, I was fine (even logged on to the company network via dialup thru SecurID) for two days after it struck, but was infected by the time my login completed once I connected directly at the office. Oh well. Our tech showed up in about 5 minutes to patch and clean.

Thursday and Friday were much more interesting. I'd just got home, and my wife was trying to get the pool filter pump to come back on - it had apparently tripped its thermal overload again. We had no luck, and decided to simply wait it out. We went back inside, and she noticed that we didn't have power. I tried calling Hydro One (the provincial transmission company) and got a message that due to "unusual call volumes", they couldn't connect me to a customer rep. Obviously the power outage extended a bit wider than normal. I fired up the laptop, but hadn't completed the boot when we got a call from Laurie's mom in Belize to ask us if we had power. That's when we discovered that we were just two out of 50 million without. We weren't out too long - it came back on just before 3 in the morning and never went out again. We've also still got our generator that we purchased during the ice storm 5 years ago, although this time we took it over to the barn so we could pump water for the horses (we board our 3 Arabians about 15 minutes away). We were right on the edge of the outage - just half a kilometer up the road, they never lost power.

I guess we could call his Blaster experience a 'Reverse Sideways Blaster Infection'. He didn't get Blasted until someone else infected his network. But his infection was probably inevitable, since he hadn't patched his notebook. Even now, at home on my dial-up connection, ZoneAlarm blocks attempts on my computer 1-2 times per minute. If you have a broadband connection, your attack rate is probably much higher. And at the office, we get attack attempts at least every five seconds. I suspect your mileage will not vary.

Microsoft has some new (to me) pages to help home users protect their computer here: http://www.microsoft.com/protect (opens in a new window). There are just three tips: Install a firewall, update Windows, Update Anti-virus. I can recommend all three steps.

Wednesday, August 20, 2003

Here's some things that made me laugh today. (Each will open up a new window so you won't get lost on your way back here.

Wander over to John Dominik's pages as he tells you why Robert Thompson (another Daynoter) is a danger to civilization. Trust me, you'll want to read this. John has a clever way with words, and his site is one of my regular web-surfing stops. Besides, after reading that, you'll learn how to make a nice 'camp kitchen'. Not only is John an excellent computer/network techie (who is job hunting, as we have previously discussed), he's got some good woodworking skills.

Then read about the experiences of a ABCNEWS.COM journalist as he digs his way out from a pile of spam and virus alerts. The mail that he got was typical of the mail that many people at work got, and they all complained about it to me. Which is why I spent most of my time with virus stuff today.

John D. would be proud (I think) that the past two nights I have watched two 'chick flicks' with my wife: "How to Lose a Guy in 10 Days", and "What a Girl Wants". They were both somewhat amusing, and I think that I did get some extra points for my efforts.

Thursday, August 21, 2003

I usually write these attempts at historical significance while sitting on the couch in the family room. The TV is usually on the background, and Pam is usually sitting next to me reading, or laying down with her head near my lap so she can get some head rubs.

Tonight is a bit different. The weather today has been a bit thunderstormy. Not like you'd get in the Midwest, but some rain and 'thunderboomers'. That has continued through this evening, with a bit more scattered rain.

Our new house has the typically small back yard, and the previous owners landscaped it with a cement patio with plantings around the edges. There is no lawn back here, but there is a nice aluminum porch cover the full width of the house. We have some simple outdoor seating of padded folding chairs, and a small metal table.

While we are in a subdivision, our lot is on a bit of a hill, so the roof line of the house in back of us is almost below the level of our lot. That gives us a nice view to the west. On a clear day, you can see all the way to the coastal mountains, which are about 90 miles away. We get to view some nice sunsets.

So I am outside, with the laptop on the table, rather than my lap. Tonight, it is raining lightly, with the occasional harder rain typical of thunderstorms here that lasts only a few minutes. The noise of the rain falling on the metal porch roof is quite pleasant. The view to the west is dark, with the occasional flash of lightning; that storm is about 50-60 miles away, I think. It is a bit cool, but not uncomfortable; a sweater is almost needed. So it is quite pleasant out here, typing away with the background noise of rain falling, and the random flash of lightening and booming of thunder off in the distance.

On Sunday's post, I mentioned a bit about a 'sideways' attack on a network. And there was a bit more on yesterday's post. That kind of attack can be a real risk to a business network. It could be difficult to deal with, costing a lot of staff time.

Today, about 3 pm, we got a Sideways Blast.

Although it is difficult to say for sure, Blaster (or his cousins) came in one of two ways. An infected laptop was connected to the network, or a home worker with a VPN account was the source. In any case, it took less than 10 minutes for the help desk phones to start ringing with reports of worm infections.

We have a couple thousand computers on our little network, spread out in several different buildings, in several different areas in the City. And even though we have sub-netted the network, it didn't take long for the infection to spread everywhere.

Users were told to shut down computers immediately. Tech support staff scrambled to create CD's and floppies with the patches and recovery tools. And not only the computer network was harmed. The amount of worm traffic also affected the IP phone system. Internet access was bogged down because of all the network traffic. Productivity around here took a major hit.

As I write this (in the 9 o'clock hour of the evening), recovery is still happening. I expect the technical support staff will spend most of tomorrow (and part of the weekend) cleaning this up. It could have been worse, and probably will be in the future. Blaster doesn't destroy data, it just destroys time. The next version, which is probably already being written, could just as easily delete files. Can you say "What Disaster Recovery Plan?" ?

The whole thing could have been avoided. Computer support is distributed throughout the company, and some areas are not as aggressive as others in ensuring patches are installed, even though they are told. We also don't have full protection (obviously) against an aggressive attack similar to Blaster.

This can be viewed as a wake-up call. It may be necessary to put a bit of enforcement behind our standards. At the SANS conference, one speaker says that his company deals with highly confidential information. Because of that, they have an agressive security auditing team and process. Audits are regularly performed, and the audit results are given a score. If the audit shows a shortcoming in one area, then that area is given 24 hours to fix it. If it is not fixed, they get cut off of the network. And they don't get reconnected until the fix is proven.

That is a pretty aggressive policy. And it works because of the buy-in by senior management. They realize that the network is a vital part of their company. If the network fails for any reason, the company can be in big trouble.

In our company, we may not be able to be that agressive. But we may need to enforce computer policies and configurations that are correct. For instance, if a VPN user is not properly configured against an attack (with a firewall and virus protection, and security settings on the computer), we may need to refuse their connection. If a person with a laptop wants to connect to our network at work, then it will need to be properly configured. Protection is only as good as the weakest link. As was proven at our company today.

What is ironic about this is that our security team had discussed the possibility of a sideways attack last Monday (it was on my mind ever since Blaster came out last week). And today, just before the attack, I was working on a risk assessment document on this vulnerability. Mitigating those risks will cost some money. And money is tight in our company (this is California). But that cost will be a lot less than the lost productivity that is happening right now.

There will be the inevitable complaints from others about how vulnerable Windows is. And, while partly true, that is just shifting blame. I believe that Windows XP is much less vulnerable that the old stuff we have on our network. The tools are out there to protect your computer. Some of that responsibility for protection is on your (and my) shoulders.

Remember the "mantra". We've discussed it here before. It's time to "Nike"....just do it.

Enough ranting. I'm going to grab a book and read a bit out here on the back porch. Or just gaze over the valley, watching the lightening, and listening to the thunder rumbling.

Friday, August 22, 2003

Fought worms, broken timing belts; Stacy is back home for a visit.

Saturday, August 23, 2003

t's been an interesting two days.

Friday at work, the Blaster worm (actually, it's cousin, "Nachi") spread even more, to the extent that the network was saturated with it's traffic. It was spreading much faster than we could block it. Even though we were putting "ACL's" (traffic blockers, basically) across the various parts of our network, the worm traffic was bogging the whole thing down. The CIO made the decision that we would have to shut down and do a massive attack of our own.

So, I sent out a message to all users telling them to shut down their computers and find something else to do. Only vital processes should continue, but everyone else should clean their desks or work off the network. Then all of the tech staff (and some not-so-technical) were given CD's with the patches and Nachi detection and removal programs, along with a step by step instruction sheet. They fanned out to the various buildings and started patching all systems. We had about 40 people wandering around working on over 2000 computers. It took them all day, but it looks like we got it under control.

While that was happening, I did some phone support of the "worm crew", and talked to the senior network admins in various departments to get their progress reports. We also kept the CIO informed of the progress, so she could keep the big bosses informed.

By 6 pm, things were slowing down a bit. Most of the worm crew had gone home. There were a few pockets of computers that hadn't been patched yet, but they will be handled on Monday (and the users know not to use them until they are cleared for use).

Stacy was flying in from Idaho, arriving at about 9:30pm, so Pam and I stayed at the office until a bit after 7pm. Then we went to dinner, and started driving to the airport. I took the back way in, down a rural road. We had just gotten off the freeway when the 'check engine' light came on and the tachometer went to zero. I pulled over to the side of the road, and tried starting the engine without success. The battery was strong, the gas gauge only half-full (or half-empty), the engine turned over, but didn't start. I popped the hood, all the external belts were OK, no obvious damage.

So I called "AAA", and about an hour later the tow truck driver verified my diagnosis of a broken timing belt. Luckily, the Camry doesn't have an interference engine, so a timing belt break won't kill the pistons or valves. While waiting for the tow truck, Pam called Jason to get Stacy from the airport and take her home. Another hour later, and with the tow company $110 richer, we dropped off the car at the repair shop, and Stacy drove up in the truck to take us home. We got home a bit before 11am.

I got up early this morning to get over to the repair shop to arrange for the repair. Then stopped by Lowe's for a few things for the day's project. Back home for breakfast, then Pam and Stacy went shopping while I worked on a few small projects. I added some drip sprayers to an area of the back yard that needed a bit more watering. Then I re-mounted one of the outdoor bamboo blinds to the patio cover. I fixed a disconnected wire on the low-voltage lighting system in the back yard. Then cleaned the crud off of the barbeque grills. And replaced the shower door latch. I hosed off the patio and the back windows of the house. I straightened up the workbench a bit, and removed the dead mouse from the corner of the garage.

All of that sounds quite extensive and perhaps even impressive, but I was able to finish most of it while still getting a short nap, and an episode of "Rawhide" (not what you think -- it's an old black and white Western, you young whippersnapper!).

Stacy has been wanting "In-n-Out" since she has been at college; the nearest one to her college is about 4 hours away. So that's where we went for dinner. Then we headed over to the cemetery to place some flowers on our middle daughter's grave (she was born 23 years ago, but only lived a few hours). Then off to an old friends house to welcome their son home from his two-year mission in Tennessee. We drove by the old house, which has gone through some major renovation. (Better them than me.) We had a nice visit with old friends. Their daughter is a good friend of Stacy's, and their son is going back to BYU-Idaho (where Stacy goes) in a week. He got a used 4-Runner, so I told him he was in charge of driving Stacy during the winter. Stacy has never driven in snow. It will be interesting to see the condition of her 92 Corolla after a winter of snow driving.

After leaving that small reunion of friends, we stopped by Blockbuster for a couple of movies. We all trooped upstairs to watch "The Other Side of Heaven", which we all enjoyed. It's getting a bit late (as you can see by the time stamp at the top), so it's time to do a quick bit of surfing before hitting the sack.

Digital Choke Daynotes