Sudonix

Sudonix

Keep It Simple, Stupid...

Blog
  • phenomlabundefined

    tech.jpeg
    Ever heard of KISS ? Nope - not these guys

    kiss.jpeg
    What I’m referring to is the acronym was reportedly coined by Kelly Johnson, lead engineer at the Lockheed Skunk Works (creators of the Lockheed U-2 and SR-71 Blackbird spy planes, among many others), which formed the basis of the relationship between the way things break, and the sophistication available to repair them. You might be puzzled at why I’d write about something like this, but it’s a situation I see constantly – one I like to refer to as “over thinker syndrome”. What do I mean by this ? Here’s the theory. Some people are very analytical when it comes to problem solving. Couple that with technical knowledge and you could land up with a situation where something relatively simple gets blown out of all proportion because the scenario played out in the mind is often much further from reality than you’d expect. And the technical reasoning is usually always to blame.

    Some years ago in a previous career, a colleague noticed that the Exchange Server (2003 wouldn’t you know) would suddenly reboot half way through a backup job. Rightly so, he wanted to investigate and asked me if this would be ok. Anyone with an ounce of experience knows that functional backups are critical in the event of a disaster – none more so than I – obviously, I gave the go ahead. One bright spark in my team suggested a reboot of the server, which immediately prompted the response

    “……it’s rebooting itself every day, so how will that help ?”

    There’s always one, isn’t there ? The final (and honestly more realistic suggestion) was to enable verbose logging in Exchange. This is actually a good idea, but only if you suspect that the information store could be the issue. Given the evidence, I wasn’t convinced. If there was corruption in the store, or on any of the disks, this would show itself randomly through the day and wouldn’t wait until 2am in the morning. Not wanting to come across as condescending, I agreed, but at the same time, set a deadline to escalation. I wasn’t overly concerned about the backups as these were being completed manually each day whilst the investigations were taking place. Neither was I concerned at what could be seen at this point as wasting someone’s time when you think you may have the answer to what now seemed to be an impossible problem. This is where experience will eclipse any formal qualifications hands down. Those with university degrees may scoff at this, but those with substantially analytical thinking patterns seem to avoid logic like the plague and go off on a wild tangent looking for a dramatically technical explanation and solution to a problem when it’s much simpler than you’d expect.

    After witnessing the pained expression on the face of my now exasperated and exhausted tech, I said “let’s get a coffee”. In agreement, he followed me to the kitchen and then asked me what I thought the problem could be. I said that if he wanted my advice, it would be to step back and look at this problem from a logical angle rather than technical. The confused look I received was priceless – the guy must have really though I’d lost the plot. After what seemed like an eternity (although in reality only a few seconds) he asked me what I meant by this. “Come with me”, I said. Finishing his coffee, he diligently followed me to the server room. Once inside, I asked him to show me the Exchange Server. Puzzled, he correctly pointed out the exact machine. I then asked him to trace the power cables and tell me where they went.

    As with most server rooms, locating and identifying cables can be a bit of a challenge after equipment has been added and removed, so this took a little longer than we expected. Eventually, the tech traced the cables back to

    ………an old looking UPS that had a red light illuminated at the front like it had been a prop in a Terminator film.

    Suddenly, the real cause of this issue dawned on the tech like a morning sunrise over the Serengeti. The UPS that the Exchange Server was unexpectedly connected to had a faulty battery. The UPS was conducting a self test at 2am each morning, and because the bypass test failed owing to the burnt battery, the connected server lost power and started back up after the offending equipment left bypass mode and went online.

    Where is this going you might ask ? Here’s the moral of this particular story

    • Just because a problem involves technology, it doesn’t mean that the answer has to be a complex technical one
    • Logic and common sense has a part to play in all of our lives.
    • Sometimes, it makes more sense just to step back, take a breath, and see something for what it really is before deciding to commit
    • It’s easy to allow technical expertise to cloud your judgement – don’t fall into the trap of using a sledgehammer to break an egg
    • You cannot buy experience – it’s earned, gained, and leaves an indelible mark

    Author of OGProxy, Swatch, Threaded, and most of Sudonix's bugs…

    0

  • phenomlabundefined

    Neural networks being used to create realistic phishing emails

    Security
    21
    19 Votes
    21 Posts
    535 Views
    phenomlabundefined

    @crazycells this perhaps? 🙂

    terminator_endoskeleton_1020.webp

  • Madchatthewundefined

    Link vs Refresh

    Solved Customisation
    20
    8 Votes
    20 Posts
    502 Views
    phenomlabundefined

    @pobojmoks Do you see any errors being reported in the console ? At first guess (without seeing the actual code or the site itself), I’d say that this is AJAX callback related

  • Madchatthewundefined

    Blog Setup

    Solved Customisation
    17
    8 Votes
    17 Posts
    422 Views
    Madchatthewundefined

    Here is an update. So one of the problems is that I was coding on windows - duh right? Windows was changing one of the forward slashes into a backslash when it got to the files folder where the image was being held. So I then booted up my virtualbox instance of ubuntu server and set it up on there. And will wonders never cease - it worked. The other thing was is that there are more than one spot to grab the templates. I was grabbing the template from the widget when I should have been grabbing it from the other templates folder and grabbing the code from the actual theme for the plugin. If any of that makes sense.

    I was able to set it up so it will go to mydomain/blog and I don’t have to forward it to the user/username/blog. Now I am in the process of styling it to the way I want it to look. I wish that there was a way to use a new version of bootstrap. There are so many more new options. I suppose I could install the newer version or add the cdn in the header, but I don’t want it to cause conflicts. Bootstrap 3 is a little lacking. I believe that v2 of nodebb uses a new version of bootstrap or they have made it so you can use any framework that you want for styling. I would have to double check though.

    Thanks for your help @phenomlab! I really appreciate it. I am sure I will have more questions so never fear I won’t be going away . . . ever, hahaha.

    Thanks again!

  • Madchatthewundefined

    Nodebb as blogging platform

    General
    10
    5 Votes
    10 Posts
    315 Views
    phenomlabundefined

    @qwinter I’ve extensive experience with Ghost, so let me know if you need any help.

  • phenomlabundefined

    Understanding how simple fraud techniques work

    Blog
    1
    0 Votes
    1 Posts
    117 Views
    phenomlabundefined

    ING_19061_33691-min.jpg.webp
    Identity theft and fraud have been commonplace for a number of years, but have taken on various different forms. Several years ago, the basis of identity theft required the perpetrator to gain as much physical information as possible concerning the intended target. With the onset of personally identifiable information attributing individuals being siphoned out of businesses, and GDPR regulation landing in 2018, I thought it would be a good idea to get an article out that identifies the most common types of identity fraud, and how easily information can be obtained - not necessarily through social engineering, but from your own rubbish.

    What is needed to commit identity fraud ?

    Such information would typically be anything that could be classed as “personally identifying” – mail for example. A utility bill could be presented as proof of identity in order to obtain services or other financial gain by impersonating that individual. Most mail we receive through the postal system these days is often junk, but the odd element will contain a wealth of information that is a gold mine to an identity thief looking to commit fraud.

    Before the onset of the internet as we know it today, an identity thief had to work for this information in ways that are seldom deployed in today’s threat landscape (but still used nonetheless). Such activity meant sorting through rubbish (or trash – dependant on your locale), with the sole aim of finding material that could be used to perform impersonation. This activity has actually become simpler and cleaner over the years, mainly thanks to new recycling laws that separate the real rubbish from what an identity thief is looking for. In actual fact, all any potential thief has to do is steal the recycling bag itself – thus not only improving productivity, but also increasing the chances of extraction dramatically. Nobody is going to be that concerned about their rubbish going missing – they threw it out, so asking for it back would raise the inevitable question as to why you disposed of it in the first place if you wanted to keep it.

    Anything with your name and address on it is an excellent start, but it isn’t enough. For this to be beneficial, an identity thief would need your date of birth. You’d think that this would be difficult to obtain. In actual fact, it isn’t. Using a variety of techniques, an identity thief can extract this information from other sources such as electoral systems, census records, and most family tree research systems. The information will be buried yet available somewhere, and it just needs to be exposed. How much time an identity thief needs to invest in this activity varies dependant on the prize – nobody wants to be knee deep in rotting produce unless there is a significant reward at the end of it.

    Why is a date of birth so important ?

    Your date of birth is often required when completing loan applications (for example), and without this, an identity thief cannot procure services or gain access to a financial source easily. It’s like the missing piece of a puzzle. Without that piece, you have most of the picture, but not all of it. Any missing components required for identity theft to be possible can also be extracted from sources much closer to you than you’d think. Using a variety of techniques – most of them social – any thief can extract the required information without too much effort. The most common approach is to leverage social media.

    The identity thief pretends that they know the individual to one of your friends or associates, and is then able to engage them in conversation. The incredible fact about social media is that people tend to post a variety of information that they probably wouldn’t if they were to think twice about it, and this vulnerability is surprisingly simple to exploit. Facebook, for example, allows you to see the profiles of any other connection your new “friend” has, and vice versa. Too much information in these profiles that is on public display is the low hanging fruit that is required for identity theft to become a realistic prospect.

    As this technique relies solely on trust, and the source of the information provides the missing pieces of their own free will and volition, no crime is actually committed. Trust is the key element for this method of extraction to succeed – and in most cases, it does.

    My post box is susceptible ? Why ?

    Another simple mechanism of obtaining information is intercepting post intended for the target. This sounds like a difficult task, and for housing estates, you’d probably have to kidnap the postman in order to gain access to the mail (just kidding). However, there have been some occasions where mail has been inadvertently given to someone else impersonating the occupier of the intended address. This practice was rife at one point, and now most postal services will not hand over mail unless they can post it through the letterbox, or leave it at a designated collection point.

    And here is the real vulnerability. In apartment blocks, flats, or shared complexes, mail is typically left in mailboxes that require a key to access. The idea being that the intended recipient holds the key, and collects their mail from the mailbox. In most cases, it is a fairly simple process to either extract mail from this box via the letter opening (it sounds crazy, but you can actually get your fingers into the slot and if someone left a parcel, a letter could be sitting on top, and be within easy reach), or use brute force to break the lock and gain access this way. In the UK, personal post boxes aren’t commonplace if you live in a house, as the doors often have letter boxes designed to deliver directly into the property - enhancing security. This isn’t necessarily the same for multi-dwelling apartments, but in most cases, each door has it’s own letterbox. I recently had a new door fitted to the front of my house, and it had no place for a letterbox. Based on this, I decided to purchase a wall mounted post box. Despite being made of metal and looking sturdy, it was simple to gain direct entry to without the keys through the opening at the top. This was designed to accept parcels and standard letters, but in most cases (for me anyway), was wide enough for a hand to reach inside and intercept mail. Not sure what I’m getting at ? Have a look at the below

    The picture above is my (hairy) hand and arm inserted into my own post box - it’s a little difficult to see the full effect, but it does give you a clear indicator of how simple this method of retrieving mail actually is. Various fraud and identity theft instances have been reported over the years, and the extraction point is often identified as the mailbox. As outrageous as it sounds, an identity thief could (and this has actually happened in the past):

    Apply for a loan in your name Intercept your post for the application form Sign this as you, and return the form Wait for the loan to be approved Collect the requested loan amount from the account they setup in your name Not repay the loan, leaving you responsible for the total amount as far as the lender is concerned.

    Once an identity thief has access to your personal information. they can then use this to create new identities to sell onto others. And it is not just the living that have been subjected to this type of fraud. The deceased are often the target of identity theft, as there is generally nobody to question or challenge this, unless a relative receives a demand for payment of an outstanding debt that has been accrued since they passed away. As simple as it sounds, a thief just needs to review the obituaries in the local newspaper to identify a potential target. This will contain the name, age, and in several cases, the date born – or a simple mechanism of retrieving this information.

    Given the relatively simple steps above, you are able to see how identity theft works. Not so complex after all, is it ? So how can we prevent it, or at the very best, lessen it’s impact ?

    Arrange for your bank statements and utility bills to be sent to you electronically, and not by post Regularly check your bank accounts for unauthorised or unexpected activity. Perform frequent credit checks to ensure that you are not being denied credit or being blacklisted – either of these is a sign of recent identity fraud. Do not place sensitive documents in your recycling unless they have been shredded – preferably by a cross-cut device to prevent reassembly. A bag of ribbons is unappealing to an identity thief Secure your letter or post box in such a way that makes tampering very difficult, it not nearly impossible. My advice here is to abide by the law, and not make the device a booby trap if opened. Do not become complacent – exercise caution when disposing of or storing sensitive documents For the truly paranoid, there’s a galvanized incinerator. It sounds technical, but is really just a bin with a chimney, designed for burning paper and garden waste. You may need to check with your local authority before using one of these - there may be conditions governing their use in restricted areas as the smoke emitted can be quite unforgiving to drying laundry in neighbouring gardens / yards, or hazardous to breathe in dependant on proximity and the material being burnt.

    Deploying these simple techniques can reduce your chances being exposed to risk of identity theft, and you’ll be surprised at just how effective they can be.

    Remember - each of these techniques relies on the sole point of vulnerability - human nature. Don’t expose your identity unnecessarily.

  • kurulumuNetundefined

    Any improvement on Ghost addon?

    Solved Configure
    6
    2 Votes
    6 Posts
    252 Views
    phenomlabundefined

    @kurulumu-net CSS styling is now addressed and completed.

  • phenomlabundefined

    Why you should never neglect physical security

    Blog
    1
    0 Votes
    1 Posts
    138 Views
    phenomlabundefined

    bg-min-dark.webp
    It’s a common occurrence in today’s modern world that virtually all organisations have a considerable budget (or a strong focus on) information and cyber security. Often, larger organisations spend millions annually on significant improvements to their security program or framework, yet overlook arguably the most fundamental basics which should be (but are often not) the building blocks of any fortified stronghold.

    We’ve spent so much time concentrating on the virtual aspect of security and all that it encompasses, but seem to have lost sight of what should arguably be the first item on the list – physical security. It doesn’t matter how much money and effort you plough into designing and securing your estate when you consider how vulnerable and easily negated the program or framework is if you neglect the physical element. Modern cyber crime has evolved, and it’s the general consensus these days that the traditional perimeter as entry point is rapidly losing its appeal from the accessibility versus yield perspective. Today’s discerning criminal is much more inclined to go for a softer and predictable target in the form of users themselves rather than spend hours on reconnaissance and black box probing looking for backdoors or other associated weak points in a network or associated infrastructure.

    Physical vs virtual

    So does this mean you should be focusing your efforts on the physical elements solely, and ignoring the perimeter altogether ? Absolutely not – doing so would be commercial suicide. However, the physical element should not be neglected either, but instead factored into any security design at the outset instead of being an afterthought. I’ve worked for a variety of organisations over my career – each of them with differing views and attitudes to risk concerning physical security. From the banking and finance sector to manufacturing, they all have common weaknesses. Weaknesses that should, in fact, have been eliminated from the outset rather than being a part of the everyday activity. Take this as an example. In order to qualify for buildings and contents insurance, business with office space need to ensure that they have effective measures in place to secure that particular area. In most cases, modern security mechanisms dictate that proximity card readers are deployed at main entrances, rendering access impossible (when the locking mechanism is enforced) without a programmed access card or token. But how “impossible” is that access in reality ?

    Organisations often take an entire floor of a building, or at least a subset of it. This means that any doors dividing floors or areas occupied by other tenants must be secured against unauthorised access. Quite often, these floors have more than one exit point for a variety of health and safety / fire regulation reasons, and it’s this particular scenario that often goes unnoticed, or unintentionally overlooked. Human nature dictates that it’s quicker to take the side exit when leaving the building rather than the main entrance, and the last employee leaving (in an ideal world) has the responsibility of ensuring that the door is locked behind them when they leave. However, the reality is often the case instead where the door is held open by a fire extinguisher for example. Whilst this facilitates effective and easy access during the day, it has a significant impact to your physical security if that same door remains open and unattended all night. I’ve seen this particular offence repeatedly committed over months – not days or weeks – in most organisations I’ve worked for. In fact, this exact situation allowed thieves to steal a laptop left on the desk in an office of a finance firm I previously worked at.

    Theft in general is mostly based around opportunity. As a paradigm, you could leave a £20 note / $20 bill on your desk and see how long it remained there before it went missing. I’m not implying here that anyone in particular is a thief, but again, it’s about opportunity. The same process can be aligned to Information security. It’s commonplace to secure information systems with passwords, least privilege access, locked server rooms, and all the other usual mechanisms, but what about the physical elements ? It’s not just door locks. It’s anything else that could be classed as sensitive, such as printed documents left on copiers long since forgotten and unloved, personally identifiable information left out on desks, misplaced smartphones, or even keys to restricted areas such as usually locked doors or cupboards. That 30 second window could be all that would be required to trigger a breach of security – and even worse, of information classed as sensitive. Not only could your insurance refuse to pay out if you could not demonstrate beyond reasonable doubt that you had the basic physical security measures in place, but (in the EU) you would have to notify the regulator (in this case, the ICO) that information had been stolen. Not only would it be of significant embarrassment to any firm that a “chancer” was able to casually stroll in and take anything they wanted unchallenged, but significant in terms of the severity of such an information breach – and the resultant fines imposed by the ICO or SEC (from the regulatory perspective – in this case, GDPR) – at €20m or 4% of annual global (yes, global) turnover (if you were part of a larger organisation, then that is actually 4% of the parent entity turnover – not just your firm) – whichever is the highest. Of equal significance is the need to notify the ICO within 72 hours of a discovered breach. In the event of electronic systems, you could gain intelligence about what was taken from a centralised logging system (if you have one – that’s another horror story altogether if you don’t and you are breached) from the “electronic” angle of any breach via traditional cyber channels, but do you know exactly what information has taken residence on desks ? Simple answer ? No.

    It’s for this very reason that several firms operate a “clean desk” policy. Not just for aesthetic reasons, but for information security reasons. Paper shredders are a great invention, but they lack AI and machine learning to wheel themselves around your office looking for sensitive hard copy (printed) data to destroy in order for you to remain compliant with your information security policy (now there’s an invention…).

    But how secure are these “unbreakable” locks ? Despite the furore around physical security in the form of smart locks, thieves seem to be able to bypass these “security measures” with little effort. Here’s a short video courtesy of ABC news detailing just how easy it was (and still is in some cases) to gain access to hotel rooms using cheap technology, tools, and “how-to” articles from YouTube.

    Surveillance systems aren’t exempt either. As an example, a camera system can be rendered useless with a can of spray paint or even something as simple as a grocery bag if it’s in full view. Admittedly, this would require some previous reconnaissance to determine the camera locations before committing any offence, but it’s certainly a viable prospect of that system is not monitored regularly. Additionally, (in the UK at least) the usage of CCTV in a commercial setting requires a written visible notice to be displayed informing those affected that they are in fact being recorded (along with an impact assessment around the usage), and is also subject to various other controls around privacy, usage, security, and retention periods.

    Unbreakable locks ?

    Then there’s the “unbreakable” door lock. Tapplock advertised their “unbreakable smart lock” only to find that it was vulnerable to the most basic of all forced entry – the screwdriver. Have a look at this article courtesy of “The Register”. In all seriousness, there aren’t that many locks that cannot be effectively bypassed. Now, I know what you’re thinking. If the lock cannot be effectively opened, then how do you gain entry ? It’s much simpler than you think. For a great demonstration, we’ll hand over to a scene from “RED” that shows exactly how this would work. The lock itself may have pass-code that “…changes every 6 hours…” and is “unbreakable”, but that doesn’t extend to the material that holds both the door and the access panel for the lock itself.

    And so onto the actual point. Unless your “unbreakable” door lock is housed within fortified brick or concrete walls and impervious to drills, oxy-acetylene cutting equipment, and proximity explosive charges (ok, that’s a little over the top…), it should not be classed as “secure”. Some of the best examples I’ve seen are a metal door housed in a plasterboard / false wall. Personally, if I wanted access to the room that badly, I’d go through the wall with the nearest fire extinguisher rather than fiddle with the lock itself. All it takes is to tap on the wall, and you’ll know for sure if it’s hollow just by the sound it makes. Finally, there’s the even more ridiculous – where you have a reinforced door lock with a viewing pane (of course, glass). Why bother with the lock when you can simply shatter the glass, put your hand through, and unlock the door ?

    Conclusion

    There’s always a variety of reasons as to why you wouldn’t build your comms room out of brick or concrete – mostly attributed to building and landlord regulations in premises that businesses occupy. Arguably, if you wanted to build something like this, and occupied the ground floor, then yes, you could indeed carry out this work if it was permitted. Most data centres that are truly secure are patrolled 24 x 7 by security, are located underground, or within heavily fortified surroundings. Here is an example of one of the most physically secure data centres in the world.

    https://www.identiv.com/resources/blog/the-worlds-most-secure-buildings-bahnhof-data-center

    Virtually all physical security aspects eventually circle back to two common topics – budget, and attitude to risk. The real question here is what value you place on your data – particularly if you are a custodian of it, but the data relates to others. Leaking data because of exceptionally weak security practices in today’s modern age is an unfortunate risk – one that you cannot afford to overlook.

    What are your thoughts around physical security ?

  • phenomlabundefined

    New blog section added

    Announcements
    1
    0 Votes
    1 Posts
    157 Views
    phenomlabundefined

    I’m excited to announce that a new blog section has been added 😛 The blog is actually using Ghost and not NodeBB, and also sits on it’s own subdomain of https://content.sudonix.com (if you ever fancy hitting it directly).

    We’ve moved all the blog articles out of the existing category here, and migrated them to the Ghost platform. However, you can still comment on these articles just like they were part of the root system. If you pick a blog article whilst logged in

    7e61c35b-2304-4c06-bda2-34da52252e1a-image.png

    Then choose the blog article you want to read

    7ca5089e-cf7e-4050-b951-5426fd1c6ec3-image.png

    Once opened, you’ll see a short synopsis of the article

    1bc086b4-5968-4e81-bc47-70de263b2275-image.png

    Click the link to read the rest of the post. Scroll down to the bottom, and you’ll see a space where you can provide your comments ! Take the time to read the articles, and provide your own feedback - I’d love to hear it.

    3f712e7c-475d-42d4-a5ca-b4becff6cc2e-image.png

    The blog component is not quite finished yet - it needs some polish, and there’s a few bugs scattered here and there, but these will only manifest themselves if a certain sequence of events is met.