Cats, coffee and Elephants

As part of my job at Novell I get to travel around various places.  This has given me the chance to try numerous types of coffee across many countries and cultures. Coffee itself has an interesting history, starting with the legend of Kaldi. Kaldi was a goat herder who noticed his goats became somewhat animated after eating berries from a certain bush. History is quiet on if parents had told him not to eat berries from a bush; clearly they had not mentioned anything about picking the berries, throwing them into a fire and then using the roast beans to create the drink we know today as coffee.

Coffee was cultivated, traded and drank throughout the Middle East before spreading worldwide. The first coffee houses, known as qahveh khaneh, also began to appear at this time. Entertainment, musical performances, chess and news of day were all available to those imbibing of the black stuff.

Your local coffee shop may offer some or all of those things; they may even be on the menu although it’s unlikely you’d be able to buy Black Ivory Coffee unless you have phoned ahead several days in advance. This will then allow your beverage provider enough time to obtain a herd of Elephants, feed them several kilos of coffee berries and then wait for the digestive process to complete. Sort through the piles of dung for the coffee beans, roast , grind and you’re ready to brew. If space is an issue, as Elephants do take up space in any room, you could use Civet cats instead. I’d advise against that as we all know cats are evil. And their poo really smells.

I digress.

Today your coffee shop offers wi-fi as well. And that’s what can be hazardous to your computer. Here’s why.

Microsoft released it’s latest set of patches, so called Patch Tuesday, this week. This particular update is noteworthy and requires immediate action on your behalf.

Within the list of updates are

  • MS15-011 & MS15-014 which harden group policy and address network access vulnerabilities that can be used to achieve remote code execution (RCE) in domain networks.
  • MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product.
  • MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines.

Remember our coffee shops, its collection of Elephants, Cats and wi-fi? Here’s the attack scenario as described by Microsoft.

MS15-014 Attack

This is an example of a  ‘coffee shop’ attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.

  1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.100\Share\Login.bat .
  2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
    1. The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.
  3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server 10.0.0.100 is now routed through to the attacker’s machine.
  4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.

You can find more detail here http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

All of updates from Microsoft are available in ZENworks Patch Management. If you can’t see them, just perform a subscription download to make sure you have the latest content.

Feb 10 Patch Tuesday

You  deploy these updates in the usual manner. I’d also recommend that you look at using patch policies that will make keeping on top of Patch Tuesday a lot easier for you.

To further protect your device estate, you should look at having security settings that can adapt to the location. ZENworks Endpoint Security allows you to define policies whose enforcement settings change depending on the location of the device. For example, the Firewall can be less restrictive on known networks but have increased restrictions for those that are unknown. You could force use of VPNs in those pesky coffee shops.

I should make it clear that ZENworks can do nothing about rogue Elephants sitting on a laptop or a cat doing something worse.

 

Posted in Patch management, ZENworks | Tagged , | Leave a comment

Applying a single patch policy

ZENworks patch policies were introduced in version 11.3 as a way for Administrators to express their wishes for automated patching.  Judging by your feedback at Brainshare 2014, these are becoming very popular.  Several of you asked questions about how to manually apply patch policies for devices that are mission critical e.g servers running SQL databases.  The scenario is

“Tell me automatically what vulnerabilities exist but I want to manually apply the policy to remediate them”

Lets start with reminding ourselves what a patch policy is.

Patch policy:  A  set of rules that determine what vulnerabilities should be remediated.

These are defined in ZCC.  Click on Patch Management and then click on Patch Policies

ZCC Patch Policies

List of patch policies

To create a Patch Policy, click on New.  Choose your platform and give the policy a name.  Then you need to decide which vulnerabilities you want to remediate.  This is achieved by using rules

Patch policy rules

Patch policy rules

You can build up a fairly complex query to exactly determine the vulnerabilities you are interested in.  At any time, click on Apply to see what the result will be.

Carry on and complete the Patch Policy.  It will be added to the list shown in the first screen shot.

It could be that not all of the patches in the patch policy have not yet been cached ( downloaded ) into your zone.  Either wait for the next download as per your patch download schedule or trigger one manually using ZCC -> Configuration -> Patch management -> Subscription service information and click on Update Now

patch subscription service

You also need to make sure that the patches are replicated to any primary / satellite servers used by those critical devices for content delivery.   If you don’t do this, then the patch policy will fail as the required patches are not available for the target devices.

At this point you would apply the patch policy to devices that you want to automatically remediate those vulnerabilities.  However, in this case we want to manually remediate.

Lets stop those devices from ever applying a patch policy by themselves.  For the purposes of this post, I am assuming that you have all of those devices in their own Device Folder.  If not, you’ll need to go to each Device in ZCC and change the settings.

I have a device folder called ‘My critical servers’.  To change the way Patch Policies are used for devices in that folder, click on Details

Folder details

Folder details

In Details, click on Settings

Settings

Settings

We need to alter Patch Policy Distribution and Patch Policy Enforcement.  Let us start with Patch Policy Distribution

Click on Override.  I would recommend that distribution of patches to devices is triggered when we manually remediate.  You are free to choose  a scheduled approach if that works better for your environment.  Even if the patches have not yet arrived when you manually remediate, they will be downloaded.  Remember to click on Ok when you have made  any changes.

Patch policy distribution

Now for Patch Policy Enforcement.  This needs to be manual and not automatic.

As these are critical devices, disable automatic reboots. You can choose to reboot at your leisure.  Just don’t leave it too long!

Patch policy enforcement 1 Patch policy enforcement 2

Click on Ok

And we’re almost there.

Go back to ZCC – Patch Management -> Patch policies.  Click on the patch policy you want and then click on Relationships.  Click Add and browse to the folder that contains your critical servers.   If the patch policy is applicable to other devices,  you can add those as well.

Assign patch policyTo manually apply remediation, go to each device ( or remote control it ) and get to a command prompt.  I would recommend that you run the command prompt as an administrator.

Cmd as administrator

To manually remediate vulnerabilities, as defined by the patch policy, we will take advantage of them using the ZENworks bundle feature.

“Hang on a minute” ,  I hear you say,  ” What about zac pap? “

Two reasons

1 ) It is the worse acronym ever in ZENworks  as shown by this entry from a U.K dictionary of slang


Noun. 1. Nonsense, rubbish.
2. Faeces.
Verb. To defecate. E.g.”He was so scared he papped his pants.”


2) zac pap applies all patch policies not just the one we are interested in.  You may have another patch policy that the device has been included in.  We only want to apply our patch policy.

Let press on.

At the command prompt, type zac bl

You will get a list of associated bundles for the device.  In that list will be our patch policy.

zac bl

My patch policy is “Windows Server updates”

To apply the patches in that patch policy and remediate vulnerabilities, type zac bin <Display name shown in the list.>

If the patches have not yet been distributed, they will be.  Once all patches are downloaded, installation will start

zac bin

Wait until this process is completed.

zac bin finished

Then reboot when you’re ready.

 

Posted in ZENworks | Tagged , , , | Leave a comment

Cloud computing – made successful thanks to inefficient policies

During my routine morning read of industry articles, whilst slurping tea, I came across one which started discussing using cloud computing for D.R before moving onto a wider arena of cloud computing in general.

Essentially the article argued that cloud computing was successful because internal organisational policies / politics made onsite computing more expensive. If the decision was made by Excel, then onsite wins in the majority of use case followed by co-location and finally cloud.

Interesting to see if that premise holds.

Posted in Uncategorized | Leave a comment

Synology NAS and malware alert

There is a nasty bit of malware that is hitting the headlines today which impacts Synology NAS boxes.  If you are running DSM versions prior to DSM 4.3-3810 you need to upgrade to the latest DSM 5 .X immediately.  If you do not want to , or cannot upgrade, disconnect your NAS box from the internet.  

Now.

Don’t tweet, post to Facebook.  Just do it. 

The malware exploits a known vulnerability that was fixed back in December 2013.  If you have not kept current on updates, then you are at risk.  Check your DSM version and update if needed.

And then set up the alerts  so that you’re notified of updates in the future.

 

More information here: http://www.theregister.co.uk/2014/08/05/the_growing_importance_of_security_first_in_wake_of_synology_attacks/

 

 

 

 

Posted in Uncategorized | Leave a comment

Sessions for Brainshare 2014

My employer has a semi-regular event for our customers known as Brainshare.  I’ve attended several now, both as an attendee and employee.  It’s now time to start working on the list of sessions for my set of products within the ZENworks family. These are Patch , Endpoint Security and Full Disc Encryption.

Brainshare sessions are typically fall into two categories; business stuff ( why ) and the technical ( how ).

This year Brainshare is in November at its regular location of the Salt Palace in Salt Lake City.  More information here:- Brainshare 2014

 [ ] indicates how many slides you’ll be sitting through.  As a general rule I try to minimise slide ware and max out on demos. 

Here’s my initial draft list. Let me know what you think and what should be added

Title: ZENworks end point security futures [ slides and new feature demos ]

Presentation and discussion on roadmap, futures for ZPM / ZESM / ZFDE.  Also include demo preview of new stuff. 

Best practices with ZESM [ slides ]

Practical advice for deploying ZESM in your environment.  What works, what doesn’t work, common mistakes and trouble shooting steps

Best practices with ZFDE [ slides ]

Practical advice for deploying ZFDE in your environment.  What works, what doesn’t work, common mistakes and trouble shooting steps

Best practices with ZPM [ min number of slides, max demo ]

Practical advice for deploying ZPM in your environment.  What works, what doesn’t work, common mistakes and trouble shooting steps

Data protection and you [ slides and some demo ]

This session distils the various data protection laws around the world  so that you are aware of your requirements and risks.  We will discuss  actionable steps that you can take to ensure that you do not expose yourself and your organisation to legal action.   

Start to protect your Intellectual Property with ZENworks device security solutions [ min number of slides, max demo ]

This session shows how you can start to protect your Intellectual Property from un-authorised exposure using a blend of  ZPM / ZESM and ZFDE.   

Device security in a regulated sector  [ slides ]

Many of our customers operate in a regulated industry.  We look at the top regulations in each sector and how they impact device management. 

 

Improving patch management process with Policies. [ min number of slides, max demo ]

With ZENworks 11.3 patch management we introduced the first iteration of patch management policies.  These have a wealth of abilities that will help you improve your existing patch management processes. 

 

Self encrypting drives – pitfalls and benefits  [ min number of slides , max demo ]

Hard drive manufacturers have rallied around a common standard for self encrypting drives known as OPAL.  There’s a lot of new drives supporting this standard appearing on the market.  But what benefits do they offer for protecting your data and are there any pit falls to avoid ? 

 

Don’t use glue to block USB ports, try policies instead  [ min number of slides , max demo ]

USB devices are still causing administrators nightmares.  They have vast storage capabilities with a small form factor which is a perfect recipe for getting lost or being used in a naughty way  ( no, not like that ) .  By attending this session you’ll see how to use policy based enforcement to regain control over USB devices  including how to vary by user, device and location.

 

 

Posted in Uncategorized | Leave a comment

roundcube email with Synology DSM 5.0

I recently upgraded my Synology NAS storage box  to run the latest software, DSM 5.0.   The upgrade went well and took around 15 minutes.  Most of that time was due to the slow ADSL speed I get being out in the English countryside ( 2.7mb/s on a good day ).  Post upgrade, I then needed to upgrade the installed packages. Then things didn’t go so well.

With prior versions of DSM, zafara email system was available.  I’d been using this quite happily for family email.  But DSM 5.0 doesn’t have that package and the old version is disabled following the upgrade.  For email Synology now  supplies only roundcube.

Now I’m a bit peeved that I have to switch software but roundcube has everything I need and no email was lost.  Install was simple, UI is straight forward, clean and fast.

Everything back to normal.

Or so I thought.

I kept getting a SMTP -1 error every time I tried to send an email. I checked all of the settings available in the UI in roundcube and my SMTP server.  Everything checked out.  

Time to go hard core.

ssh into my NAS as root  ( FYI its the same password as admin uses if you have a Synology NAS )  and dived into the roundcube config files.  The file I was interested in is this one

/var/packages/MailStation/target/roundcubemail/config/main.inc.php

In the section for SMTP settings,  I noticed that the logged in user name and password were being sent across to the SMTP server for authentication.  Now I’ve got my SMTP server configured not to require authentication for LAN clients.  I wondered if there was a conflict. 

To change the behaviour of roundcube, you’ll need to fire up vi and edit this file.  You can’t get to these parameters using the UI.   To avoid passing username and password to the SMTP server , look for these lines

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$rcmail_config['smtp_user'] = '%n'; // SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$rcmail_config['smtp_pass'] = '%p';

Change to 

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$rcmail_config['smtp_user'] = ''; // SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$rcmail_config['smtp_pass'] = '';

After saving the file and then restarting roundcube, I could now send emails.

Joy.  Balance was restored.

I still wonder why Synology removed support for zafara…..   

Posted in NAS | Tagged , , , | 5 Comments

Mac OSx: Calculate md5 checksums on a folder and all its subfolders

After building a set of VMs for an upcoming event, I needed to make sure that the VM files were copied correctly to the portable drive I’m using to transport them.  I make use of MD5 checksums for this.  Here’s what I did to calculate the checksums on my Apple Mac Mini

officemacmini01: jgiffard$ find . -type f -not -name “checksums.md5” -exec md5 ‘{}’ \; > checksums.md5
officemacmini01: jgiffard$ cat checksums.md5
MD5 (./SubDir1/Hello.txt) = 09f7e02f1290be211da707a266f153b3
MD5 (./SubDir1/World.txt) = 52f83ff6877e42f613bcd2444c22528c
MD5 (./SubDir2/Bar.txt) = 962d3beb4fd61ea04797b6b00ded22d0
MD5 (./SubDir2/Foo.txt) = cbd8f7984c654c25512e3d9241ae569f

-type f  [ files only , not folders ]

-not -name [ not the file with name in “” ]

-exec [ take each file name and give it to md5 to calculate the checksum ]

Results are sent to a checksums.md5 text file

And so there you have it – a way to compute MD5 checksums for all files in a directory and its subdirectories via the OS X terminal, without needing to download additional third party programs.

Note: There are literally thousands of sources that also have this information, so I am by no means claiming this as my own formulation or discovery. I’m posting this for my own personal use; hopefully will prove helpful to you as well.

Posted in Uncategorized | Leave a comment