Showing posts with label corposphere. Show all posts
Showing posts with label corposphere. Show all posts
Saturday, August 14, 2010
10 Days of "Auto AutoAdjust"
And no one has complained yet!
I must say it adds a bit of a challenge. And that challenge is staying less than 10 points ahead! That, and finding a good place to hide when it's time to KICK OUT THE JAMBS!
IN OTHER NEWS, it seems like the stars and planets have aligned for some sort of cosmic spotlight on the old Dinkster. Normally, for me at least, when I get that feeling it's reminiscent of the archetypal wide-eyed convict with hands spread and back against the prison wall.
Generally speaking, not a good feeling.
This time around I think things are going to be different. There are some endings and beginnings on the horizon and all of them are good. Not only is there a light over at the Frankenstein Place there's one at the end of the tunnel as well. Last week brought a Triple Whammy of Good Things, all centered around the same subject, a subject on which I just happen to be a Subject Matter Expert (SME, for you non-PMPs).
And although I don't want to get specific just yet, suffice to say this may finally be my ticket out of the Salt Mines.
Tuesday, April 28, 2009
I'm Stealing A Laptop Today!
Don't get excited. I haven't gone over to the Dark Side.
Yet.
Besides, it's my own laptop. That is, it's the laptop my employer has issued to me. And I'm not taking it home in my lunch box. This time.
I'm stealing it virtually!
You see, nobody steals laptops for the hardware anymore. It's all about the data. With the right access level, laptops, or any computer, can be stolen without ever busting a lock or leaving a fingerprint.
All with free tools easily available over the Internet. I'm not talking about "hacking tools" - you have to be brave to use that crap these days because you never know what might be hiding in them - I'm talking about legitimate software distributed by legitimate companies. In this case, VMware.
VMware distributes a nice little tool called the VMware vCenter Converter which allows you, among other things, to turn a real nuts and bolts box into a virtual machine.
Which is exactly what I'm doing now. As I type this, the bits and bytes of the hard disk in my laptop are flying over the Internet to a VMware server in my family room. When it's all over I will have an exact copy of my laptop, minus the hardware of course.
This is really No Big Deal. Anyone with the right amount of access can do this surreptitiously in your IT environment, cut the image to a USB thumb drive and take it home to hack at their leisure. Or sell to the highest bidder.
The trick is in doing it over the Internet. If I had a 32G USB drive I'd probably do it that way, but I don't. What I do have is a cable modem and three covert channels back to the office.
Plus an aging Linux box that I talked a former Boss into letting me install on the corporate network over eight years ago. If I had my way, Linux would only be allowed under the strictest security policy possible - it's just too damned powerful for mere mortals.
The biggest problem to overcome is establishing a common network share for the corporate and VMware boxes. That is accomplished with OpenVPN, the BEST damned Open Source SSL VPN on the planet.
That is covert channel #1. Channels 2 and 3 are port-forwarding SSH tunnels that connect back to HinkyNet over the corporate proxy. One of the SSH channels is established with a Cygwin service running on my corp workstation. The other is a bash script on a Debian VM that runs on the VMware GSX server on my workstation. All three will reconnect if the workstation is bounced and there is enough redundancy so that if any two of them go down the third can be used to bring the other two back up.
In practice, OpenVPN is the hardest to keep running, but that is due to the security limitations in our environment (many of which are of my own doing).
And because of that issue, I'm on my second attempt at this Proof of Concept exercise. I started yesterday and got 15 gigs downloaded before the OpenVPN connection crashed at 5AM this morning. I can also do this just as easily over SSH tunnels, but that would require using the VMware 2.0 server on my MythTV box, which currently has too much disk space dedicated to unwatched recordings of "Terminator" and "Life on Mars"!
The first time through is always a learning experience.
But the point remains: given enough time and enough access and the right tools, an insider can walk away with your company's entire IT infrastructure. I'm already looking into what can be done about this with the tools our company already has (like everyone else in this economy we're not spending cash we don't have). VMware and virtualization in general is so hot, no one is looking into the security implications these tools bring with them.
Or at least they're not publishing.
Saturday, June 23, 2007
Security 3.0
The corposphere is all abuzz about Security 3.0!
Seems they just got back from a Gartner clusterfuck in Washington D.C. and they just can't stop talking about it. They gotta have it because it gets their corporate panties all tied up in a bunch just thinking about it!
Soon it will be Mr. HinkyDink's problem. I can only say "Bring it on suckaz!"
As you may or may not know, IRL the Dink is an Information Technology Security Whiz Kid. It's not a job I actively sought out. Rather I sort of fell into it during the dot-com days.
"Hey Dink! Wanna be the security officer?"
"I guess so."
And the job was mine. A few months later, at a burn rate of $1.7M per month the venture capital was drying up and it was obvious the place was sinking fast. I got out while the other rats were still in denial and finagled a job (for, sadly, much less money) at a large (9,000+ employees) organization as a programmer analyst. About two weeks later...
"Hey Dink! Wanna join my security team?"
"I guess so."
And the rest is... ummm... classified.
Anyhow, management reorgs and shakeups were the hallmark of the next few years and when the bits settled Dink was on top of the security heap. Not so high that he got to attend the Gartner clusterfuck personally, mind you. It's a very small heap, more properly described as a pile of crap.
Otherwise known as "Security 2.0"!
What is (was) "Security 2.0"? Funny you should ask. It was, according to Gartner, a pile of software and hardware security "point solutions". This translates to "a lot of small companies making money in a niche market". It turns out the Big Boys (IBM and HP in this case) noticed these small companies making money and bought them all up.
So they naturally turned to Gartner to "create buzz" over their new acquisitions. And that buzz is "Security 3.0"!
It will work out well for them. It always has. And I'll get a new budget that will end up in IBM and HP's deep, deep pockets.
Seems they just got back from a Gartner clusterfuck in Washington D.C. and they just can't stop talking about it. They gotta have it because it gets their corporate panties all tied up in a bunch just thinking about it!
Soon it will be Mr. HinkyDink's problem. I can only say "Bring it on suckaz!"
As you may or may not know, IRL the Dink is an Information Technology Security Whiz Kid. It's not a job I actively sought out. Rather I sort of fell into it during the dot-com days.
"Hey Dink! Wanna be the security officer?"
"I guess so."
And the job was mine. A few months later, at a burn rate of $1.7M per month the venture capital was drying up and it was obvious the place was sinking fast. I got out while the other rats were still in denial and finagled a job (for, sadly, much less money) at a large (9,000+ employees) organization as a programmer analyst. About two weeks later...
"Hey Dink! Wanna join my security team?"
"I guess so."
And the rest is... ummm... classified.
Anyhow, management reorgs and shakeups were the hallmark of the next few years and when the bits settled Dink was on top of the security heap. Not so high that he got to attend the Gartner clusterfuck personally, mind you. It's a very small heap, more properly described as a pile of crap.
Otherwise known as "Security 2.0"!
What is (was) "Security 2.0"? Funny you should ask. It was, according to Gartner, a pile of software and hardware security "point solutions". This translates to "a lot of small companies making money in a niche market". It turns out the Big Boys (IBM and HP in this case) noticed these small companies making money and bought them all up.
So they naturally turned to Gartner to "create buzz" over their new acquisitions. And that buzz is "Security 3.0"!
It will work out well for them. It always has. And I'll get a new budget that will end up in IBM and HP's deep, deep pockets.
Subscribe to:
Posts (Atom)