Modify Active Directory’s User/Computer Account Placement
I don’t know about you, but it would be helpful for me to have computer/user accounts created in an OU instead of the default CN-Users location. Microsoft provides a solution for this, granted it’s not the best but it will do. The following commands are used to do this.
User accounts: redirusr ou=myusers,DC=corp,dc=com
Computer accounts: redircmp ou=mycomputers,DC=corp,dc=com
In mapping the computer build process for zero touch deployment this was a problem area as I use GPOs heavily. Now I can have all computer accounts created in a “staging” OU that GPOs apply too. Sure they still have to be moved, but with proper naming and maintenance scripts this also can be accomplished.
ref: Q324949
/ip
Current State of Identity Theft (1 of 5)
As a group project for my Project Based Information Systems class at UMass, our group chose to write on the subject of Identity Theft. We’ve tried to show that government and the private sector are struggling to reduce the threat while most of the cost and burden falls on the merchants and individuals. I will be posting each individuals portion and and the final paper here. I had the intro and it is as follows…
Imagine you wake up one morning to a phone call. The person on the other end is the HR manager for the company you just interviewed at. She informs you that they found a problem with your background check. You think to yourself — for sure that ticket last August wouldn’t cause an issue. Only to find out that it shows you’re in a federal prison on a drug trafficking charge. You’re floored and assure her that you are not in prison and certainly not for drug trafficking.
After 40 plus hours of stressful phone calls to people who you can only describe as less than helpful, you feel like you’ve been beaten with a baseball bat. Even so, you think that you’ve gotten you’re name cleared and all the fraudulent charges removed from your credit report. You vow to never be caught in this situation again. You pick up the phone, hopefully for the last time, to call a fraud alert place you’ve read some good reviews about. Finally get on the line with someone helpful.
Over the next few minutes you explain to the person on the other line what’s happened. First someone stole your mail, you didn’t think anything about it — just a slow day at USPS. It turns out that it was a drug addict that used your mail to get a fix. The dealer, with his new identity, proceeded to use your good name to launder his ill gotten gains. He even used your name when he was arrested. The person on the other end knew just what to say and for $210 dollars a year they assure you this will not happen again.
If you think this isn’t common you’re mistaken. Scenarios like this happen every day. People’s mail is stolen, cars broken into, even the retailer up the street who forgot to turn on encryption for their wireless network gets hacked. This happens to 1 out of every 30 Americans. The yearly losses for identity theft range from $48 to $56 million dollars.
Identity theft, defined by Bruce Schneier, is when a criminal collects enough personal data on the victim to impersonate him to financial institutions. Government and the private sector are struggling to reduce the threat while most of the cost and burden falls on the merchants and individuals. Identity theft, fraudulent transactions, and data breaches in the news are becoming the norm. Many financial institutions lobby congress to keep litigation from passing, because having readily available and identifying information on your clients is good for business.
This type of crime involves two issues. One is the privacy of data and the other is the how easy it is for a criminal to use this data. We’ve focused a lot of our efforts on keeping the data private and verifying if someone is who they say they are, but not on authenticating the actual transaction. Some credit card companies are starting to do this. If they see a purchase or multiple purchases that are “out of character” they flag the transactions and alert the card holder.
Many state governments are trying to provide new ways to reduce the likely hood this will happen to an individual. Seventeen states have passed “credit freeze” laws and giving harsher penalties to criminals. While these are good things, people don’t realize how often their credit is used. This can cause a very large inconvenience when you’re trying to switch cell providers for example. There is always a line between security and convenience. Often times we err on the side of convenience and that is where many of these problems arise.
A new trend coming into the public spot light are companies disclosing data breaches. This has made a lot of headway in forcing companies to secure their data. It’s also given way to new standards and regulations like PCI-DSS or Payment Card Industry Data Security Standard. This was developed by major credit card companies and is a guideline for companies. It is a security framework for companies that puts forth requirements for storage, transfer, and deletion of credit card information.
Protection against Identity Theft falls on everyones shoulders. Merchants need to find better ways of verifying people. Financial institutions need to start authenticating transactions and we need to be a little more careful with out own information. What is the final answer? That is yet to be seen, but more can be done that is for sure.
Resources:
Forbes: Solving Identity Theft
NYT: Technology and Easy Credit Give Identity Thieves an Edge
Tags: IdentityTheft, School, Paper
Use Suggested Security Guidelines and Controling the Hypervisor
Hoff over at Rational Survivability brings a good point (read, duh [but most don't do]) to light — Follow the suggested security guidelines. How many times have we followed the step-by-step setup instructions, and we don’t give security a second thought. Could it be because the security guidelines are not step-by-step…who knows? If Schneier is right, and security will just become part of it…maybe a good place to start is to integrate the security into the setup and documentation. Even if the vendor doesn’t — you should.
An interesting quote on VMWare from his post.
Jon Oberheide, a researcher and PhD candidate at the University of Michigan, is releasing a proof-of-concept tool called Xensploit that lets an attacker take over the VM’s hypervisor and applications, and grab sensitive data from the live VMs.
Really? Take over the hypervisor, eh? Hmmmm. That sounds super-serious! Oh, the humanity!
I’ve got to agree…
Tags: Security, Thoughts, VMWare, Hypervisor, Xensploit, Shoutout
A 1000 Words and All That
Wow, somedays you look forward to being over. You keep your door shut and do what have too. Even then people knock, call, email, IM, SMS, Skype…but hey that’s the gig right. Anyhow I just thought this was a good picture and wanted to drop it on the site.
It’s taken from a PS3 wallpaper for the downloadable game called PAIN. It’s a lot of fun if you haven’t tried it. Grab a beer (…is my favorite color) and catapult dude across town and see what he hits…holla.
Wow…sound in Ubuntu
Heh, <gripe from previous post> x 2….
It seems that when you play sound through one program it “locks” the sound card and doesn’t give it back till you logoff/on. I found a fix here. It seems this is a problem with ALSA and the lack of software mixing.
Please note*
Good times…
Tags: Ubuntu, ALSA, RealPlayer, Sound, XMMS
Errr…It just works
More Ubuntu issues…
I love streamtuner to listen to music (I’m an old winamp user). Anyhow, I got the error when xmms launched:
“Couldn’t open audio”
My fix was to right click in xmms > options > preferences > change “output plugin” to ALSA.
Sure these are easy fixes, but shouldn’t it just work? Yes, I like Linux because you do learn so much more about operating systems, and for the most part it does work. I just have a feeling that if you rolled it out to a company with training, your help desk would still be flooded with calls like this.
Fix rdesktop “exit” Fullscreen issue in Ubuntu
I use RDP a lot and having to disconnect from my session to switch to another window is not an option. The problem lies somewhere with compiz. What supposed to happen when you hit ctrl+alt+enter is that it windows the session…but it doesn’t. Here is my fix.
sudo apt-get install compizconfig-settings-manager
System > Prefrences > Advanced Desktop Effects Settings
Utility > Workarounds > uncheck Legacy Fullscreen Support
That should do it…now off to figure out using SSL with rdesktop.
Tags: TechSupport, Fix, Ubuntu, rdesktop, compiz
Consolidation of Security Vendors
Have you been watching your current and potential security vendors? Are they about to be bought up by a larger non-security firm? If so what are the risks? This isn’t something that I’ve ever put in a RFP when I am soliciting vendors for a solution.
Let’s say you spend your time picking the correct vendor for some aspect of security plan. Then bam they are scooped up by <insert large dominating corporation here>, what then? Some companies you start a relationship with…you know up front they are out to be bought. Some you know are too good and it’s bound to happen. Should this (or this should) be factored into your decision making process.
Take IBM picking up ISS. I was around [IBM] during this time and prior to it. I had the chance to move to ISS prior to and afterwards, but enjoyed my security training at IBM. I even had a few friends make the move and a few friends already working there. Did ISS’s customers suffer from this or did they get a new level of service. I can’t answer this question from a customer standpoint, but from what I heard internally everything went pretty smooth. Sometimes it is a good fit, but sometimes not. Sometimes, the product you’ve chosen so carefully gets nix’d and your left with your coffee cup in your hand scratching your head…
Tags: Thoughts
Upcoming posts
Well I am getting my online stuff squared away with my website and blog. I’ve dropped my hosting package and moved to wordpress.com. It just made since…I did the upgrade to allow me to use the domain, 10 points a year…good deal. I’m dropping ianphilpot.com, but keeping the domain. Maybe there will be a reason for it later, but it was of no real benefit to me. Anyhow, I have a few things going on. School is great and life is good. I have about 5 or 6 topics I am writing on and hope to get posting soon.
Topics:
- What does it mean to align security requirements with business objectives?
- Does putting internet facing servers in a DMZ make your network more secure?
- Can auditing and monitoring employee activity increase the security posture of a company?
- Is the principle of least privilege a viable way to increase user productivity?
I’m excited about the last one on the least privilege model. I’ve put a good amount of thought and research into it and feel I’ve made a good case. I will be posting some ideas as I develop them on the other topics and finish them up with a “paper” or sorts. I have one other topic that I am keeping to my self for the time. I have high hopes for it and will probably be sending it to some “call for papers”. I’m soliciting help on it because it involves a lot of math and statistical analysis that is little out of my reach…for now ;-)
Expect some good discussions to come…
I hate security…
…well not really, but deny all…DONE! –stare at sun…change password…and all that.
