Exit strategy

interstate-exitThoughts about strategic IT problems come from all sorts of places.

TiVo picked up an episode of MI-5 that I got around to watching at 2 AM today.  The episode opens with the tech wizard guy explaining to the lead character how he’s set up a security system for the lead’s house that “makes it a fortress.”  Oh, damnable foreshadowing.  You just know it’s not going to go well.  And it doesn’t. At the end of the episode, the sophisticated entry control system is brought down by some cake frosting in the card reader.  Our hero is stuck outside, while his girlfriend and her daughter are stuck inside with a ticking time bomb.  Neither our hero nor the bomb squad can get in, and the people inside cannot get out.

What’s the IT aspect?  We focus more on cost and performance issues when establishing a relationship with a vendor or jumping into a new technology.  How will it be billed? What are the service levels and remedies?  It’s easy to overlook what happens when the contract ends, the application becomes obsolete, or the vendor disappears or drops the product.  At the end of the relationship, you may find yourself outside, your data locked in, and the clock is ticking.

It’s hard to figure out the exit strategies for SaaS and cloud-based applications.  And if recent events have taught us anything, it’s that no vendor or service is too big to fail.  Don’t walk in unless you know how to get out, and get out very fast if necessary.

The job ain’t done until you know how to run.

Rogue security, Search Engine Optimization, and some darn clever folks

1 Comment

A couple of weeks ago, Sarah Silverman was on Bill Maher’s Friday night show on HBO, where she showed her latest video. The next morning, I hopped on to Google to find it and forward it to some friends who had probably missed the show. The first 10 links on Google were sites that informed me my computer was infected by a virus, then downloaded a setup.exe file to the system to “clean” the viral infection.

Running a Linux system, I wasn’t afraid to download the files. I then submitted several to VirusTotal, a site that runs them through multiple anti-virus scanners. Only of of the samples was tagged as being “potentially” bad that Saturday morning.

Symantec has released a white paper about sites that install rogue security software, the characteristics of such software, and the methods of description. The report is well worth reading. It’s not the software I find interesting but what must be the highly automated systems that were able to mutate a trojan-dropper program to make it undetectable, determine hot search terms, and get pages up across the internet in a way that they turned up at the very top of the Google search results. Anyone with a web site struggles with Search Engine Optimization (SEO), the art and science of getting your web site noticed by search engines and returned near the top of any search that is relevant to your content. The evil doers who distribute the malware have this absolutely nailed.

The first step, I suppose, is to monitor topics of increasing interest using sites like Google Trends, Bing xRank, and TweetStats. As topics rise in trends, the next step is to enlist a web of web sites (see the Symantec white paper for more about these) and publish pages with matching terms on the page and in the keyword META construct, and then use the search engine submission APIs to push these pages into the search engines. I suspect that the sites involved appear to be blogs, because those are more frequently spidered and pushed into the result stream than sites with static content. In parallel with this, there needs to be an engine that’s mutating the malware payload of the sites to evade detection by the anti-virus systems. This requires its own ecology of mutators, base programs, and testing machines that use the anti-virus engines themselves to kill off the mutants that won’t survive in the wild. The final step is a system that tears all of this down after a day or so, as the search engines determine the sites to be malware hosts, the anti-virus systems develop antibodies for the malware, and legitimate sites begin to move up in the search engine results.

Symantec and other security providers have a number of ways for individuals, search engine providers, and system administrators to reduce the threat from such sites. Ultimately, it comes down to the message from X Files, “Trust No One”. Undermining trust and a feeling of safety is what terrorism is all about.

Why can’t the minds behind this use their powers for good instead of evil?

Denial of Service: Oops

I had a Firefox crash yesterday that seems to have corrupted the form completion database and/or some saved cookies.  It’s been no big deal; I just generally have to re-login to a lot of web sites. It was going OK until I got to my bank’s site today to pay some bills.  I know exactly what my password is, because I have to type it in every time I visit, but I’ve long since forgotten my user ID.  It wasn’t in the document in which I record user IDs and password hints.

I tried three or four times with each possible user ID, and after the 3rd or 4th time, I got the "your account has been locked" notice. After doing this for about 20 minutes, I folded and called customer service.  After the usual set of identification questions, I got my user ID.  (Darn!  Yeah, now I remember it).  I asked the person at the other end, a very nice person, what happened to the folks whose IDs I’d been trying.  He said that they’re locked out until they, too, call customer service.

So, if you try to login to your bank and your account is locked, my sincere apologies. 

The bigger issue, of course, is the possibility for someone to do this maliciously.  If I know your bank account user ID, I can lock you out of it by writing a script that tries (and fails) to login and running it every 10 minutes.  Similarly, if your network as a terminal server available, I can lock out any number of users, including the admnistrator, by doing the same thing.  That would be annoying. 

Consider the case,however, if I have access to your system and want to do somethign bad to it.  While I’m in, it would  be a good idea for me to lock the doors behind me, to keep out any admins who might be notified if/when I set offf an alarm.  When setting up access policies, its important to remember that setting a time lock can lock you out while someone else is within, doing something nasty to your system.  Make sure you have a secure back door, and make sure it uses its own key.

Layered Defense using DNS

Network protection should not rely on a single magic bullet solution, but on layers of overlapping security.  Mail should go through a couple of virus checkers and spam filters before it ever hits your inbox.  A firewall keeps unwanted network traffic out and blocks unexpected outgoing traffic.  Layered firewalls — at the Internet connection and on each computer — provide better security.  Managing outgoing traffic via DNS filtering is another layer of protection for both home and corporate networks.


OpenDNS operates a network of DNS servers and, based on your administrative choices, can block sites known for distributing stuff generally not appropriate for work — "adult material", phishing and malware — all the day down to social networking sites. They also handle typos, for example, recognizing .cmo and changing it to .com on the fly. You get full statistics on DNS queries, approved and blocked.

What do they get out of it? As far as I can tell, they can track usage patterns and subsequently sell that information. In addition, they route all NXDOMAIN requests to a page (that you sort of control) on which they place ads.

I use OpenDNS for my home network (changing the DNS server addresses on the router) and set it up at my former employer (by changing the forwarding servers used by our own DNS servers). On the corporate network, we regarded OpenDNS as an additional firewall blocking access to bad sites and a way to determine whether we had machines on the network that might be compromised.