Sunday, September 12, 2021

Mobile LTE Coverage Map

I recently came across an interesting article posted by the Federal Communications Commission (FCC).

It contains a map that shows the 4G LTE mobile coverage areas of the nation’s four largest mobile wireless carriers: AT&T Mobility, T-Mobile, UScellular, and Verizon.

It states that the coverage map was created using data submitted voluntarily by the four mobile carriers and depicts the coverage a customer can expect to receive when outdoors and stationary.

I am an AT&T wireless customer and have always found that cellular coverage varies significantly in the Memphis metro area.

This tool supports that experience on AT&T but I am skeptical of the other carriers' reporting.

Here is an example of LTE data in a neighborhood in Memphis that is not friendly to cellular towers.

AT&T

T-Mobile

Verizon

Who do you believe?

For reference, here's a map of cell tower locations.




Sunday, September 05, 2021

Microsegmentation

Years ago, a co-worker and I had a discussion about architecting our Unix systems as if each one was at risk from the network, even the LAN. His thinking was that you would never know where the threat was coming from so you should not trust anyone except those connections you made deliberately.

He was so far ahead of everyone else. And ahead of the technology available then.

Now we have Software Defined Networking (SDN). Usually SDN is applied to Wide Area Networks (WANs). SDNs warrant a whole series of posts on their own.

What is now nascent is Microsegmentation.


This excerpt from eSecurity Planet nails my co-worker's vision.
The Problem With Traditional Security Techniques
More traditional security tools, such as firewalls, VPNs and network access control (NAC), have their limits because they focus primarily on securing the network perimeter. Security teams historically assumed the biggest threats were attacking from outside the network. But that approach overlooked insider threats - and the damage that hackers could do when they eventually got inside the network.
SDN provides the underlying technology that wasn't available years ago.

But that allows you to worry about the next layer. What traffic do you allow between systems? Now you need to get to Layer 7 granularity.

Gardicore has a good article that lays out the benefits (and challenges) of microsegmentation.
Benefits of Microsegmentation
Lateral Movement Security
Reduce Attack Surface
Secure Critical Applications
Then an organization has to consider the methods.
Microsegmentation by environment
Creating regulatory boundaries
Microsegmentation by application type
Microsegmentation by tier
The steps for an implementation effort are:
Identify what needs to be segmented
Tackle short-term goals
Deal with long term goals
Repeat
Labeling of assets is critical along with a comprehensive understanding of the applications relationships and dependencies.

I'll cover more of microsegmentation in future posts.

Sunday, August 29, 2021

Chrome Incognito

Google recently came out on the short end of a $5 billion class-action lawsuit concerning Chrome's Incognito mode.

Apparently as a result of that lawsuit, Google is being more obvious about what Incognito means.

I thought it would be worth sharing. Here is the new splash screen for Incognito mode.


What Incognito does
After closing all Incognito tabs, Chrome clears:
• Your browsing activity from this device
• Your search history from this device
• Information entered in forms

What Incognito doesn't do
Incognito does not make you invisible online:
• Sites know when you visit them
• Employers or schools can track browsing activity
• Internet service providers may monitor web traffic

One subtlety in the first section is that Chrome doesn't take any clearing action until after you close all Incognito tabs. What this means is that if you visit a site that only allows limited visits from a non-subscriber, the cookie that tracks your visit isn't deleted until you close all Incognito tabs. Specifically, if you have Facebook open in an Incognito window and then visit a paywalled site, the count of you visiting the paywalled site will remain until you close the Facebook Incognito window.

It's probably a good time to revisit How to Sandbox Facebook.

Sunday, August 22, 2021

If You’re Going to Use the Cloud

... for Pete's sake, please use its strengths.

You know I have mixed opinions on the "cloud" depending on the size and capability of your organization.

An example of leveraging the cloud's strengths is in a recent article I saw from KnowBe4 entitled "Can the Microsoft 365 Platform Be Trusted to Stop Security Breaches?"

KnowBe4 referenced an article from Hornetsecurity entitled "1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds." (Don't click on that just yet.)


Realizing that everybody has an agenda, let's look at these articles.

KnowBe4 calls out the following findings:
  • 33% of organizations are not using Microsoft’s multi-factor authentication (MFA)
  • Of those using MFA, 55% of organizations are not using Conditional Access which scrutinizes connection requests beyond just providing credentials and additional authentication factors
  • Only 43% leverage Microsoft’s data loss prevention policies to keep data from leaving the organization
  • 68% of organizations expect Microsoft to keep email safe from threats
This is my point. If you're going to use a cloud solution such as Microsoft 365, leverage its capabilities. Even if they are premium services, they're probably NOT services you could deliver yourself.

KnowBe4's recommendation: Have your "Users ... undergo continual Security Awareness Training."

By the way, that's KnowBe4's business model - training users. And that's a good thing.

Now, before you click on Hornetsecurity's link, get ready for a pretty aggressive privacy policy.


That almost scared me off. But just click on "Cookie-Details" and slide everything to "Off".

In addition to the points that KnowBe4 raised from Hornetsecurity's study, Hornetsecurity has one more finding: "An impressive 82% of all our respondents who use third-party email security solutions reported no breaches."

I'll bet you can guess what Hornetsecurity sells.

Regardless of the various agendas, the Hornetsecurity study is solid and the findings valuable. Take them into consideration for your Microsoft 365 implementation.

And consider the value-add capabilities of any cloud solution you implement.

Sunday, August 15, 2021

Three Problems with Two Factor Authentication

One of the podcasts I listen to regularly is the SANS Internet Storm Center's "StormCast."


In addition to their podcasts, they have "diary" posts. Recently one of their contributors posted "Three Problems with Two Factor Authentication."

They actually listed 3 issues and "other gotchas."

Their list was:

0 - Usability
1 - Resetting the 2nd Factor
2 - Using a Token to Reset a Password

Now, being an engineer, I wasn't surprised by them beginning their count at "0."

But then they enumerated their "other gotchas."

4 - Other Gotchas

Where'd "3" go?

Very much worth the read!

Sunday, August 08, 2021

You Say Tomato, I Say Tomato

Does this irritate you as much as it does me?

It kept popping up on various web sites and you had to close it.

Here's how to eliminate this pop-up.



Set "Google Account sign-in prompts" to OFF.

It's that easy.


Tomato, tomato.

Sunday, August 01, 2021

Follow the Wire

I'll start by conceding that the problem I'll be discussing was MINE, not Xfinity's.

But we didn't know that for a long time.

Recently my 2 year contract with Xfinity lapsed and my bill jumped $50 per month. I called to renegotiate.

They responded with a new plan that had the same TV channels and bumped the Internet speed from 200Mbps to 800Mbps. While I didn't NEED that speed increase, faster is always better.

So after a couple of days, I tried a speedtest.

Hmmm. 250Mbps. What's up with that?

So I looked at my modem, a CISCO DPC3008. While it is DOCSIS 3.0, it only has 8 download channels. This limits it to 340Mbps.

Maybe that was the problem. Not.

But it was time for a new modem anyway so I got an Arris SB6190. It was still DOCSIS 3.0 but had 32 download channels for 1.4Gbps.

Maybe that would fix it. Not.

So I called Xfinity for support. I got a representative in Honduras who was very thorough. His thinking was that there was a cap still in place somewhere but he couldn't see it. So he dispatched a technician.

The technician showed up. His diagnosis was that I had a bad coupling on the coax going into the modem. Not.

I was still at 250Mbps.

I placed another service call. This time the technician didn't even show up. He just called.

He said that I needed a different bootfile. His attempts at downloading a new one didn't work. He said that was because I needed a DOCSIS 3.1 modem.

The SB6190 was listed on Xfinity's modem page for 800Mbps. But I bought a Netgear CM2000 to satisfy him.

No change.

And that's the end of the Xfinity lack of support story. Hours and hours of my time. Several hours of Internet down time while replacing/testing hardware. Hundreds of dollars spent. Two technicians dispatched neither of whom was capable of diagnosing a problem.

So I decided to take the advice I gave to one of my Unix admins when he was troubleshooting a dial-out modem on an HP 9000.

FOLLOW THE WIRE.

I took a laptop with a gigabit Ethernet port and plugged it directly into the Netgear CM2000.

Bingo! I got 650Mbps.

Then I plugged that laptop into the LAN port on my router.

250Mps.

That pointed directly at my Asus RT-AC68R router.

As Pogo said, "We have met the enemy, and he is us."

So off to Google I went.

What I FINALLY found was that the RT-AC68R defaults to using the CPU to perform NAT acceleration. But the RT-AC68R has dedicated hardware that it can use. When I dug down into the settings and switched "NAT Acceleration" to "Auto", all was well!


The download speed jumped to 950Mbps!

The switch point where you should use the dedicated hardware is 150-200Mbps so I hadn't stumbled on it earlier.

Then I switched back to the Arris SB6190 and returned the Netgear CM2000. I still got 850Mbps.

Lessons learned: 1) Fast home Internet is a challenge and 2) Xfinity is no help.

Sunday, July 25, 2021

There Is No Cloud

I post fairly regularly about the "cloud." I have mixed opinions depending on the size and capability of your organization.

But recently I was following a story of Google changing their desktop Drive solution, AGAIN.

As frustrating as that will be to Google Drive users, that's not the story I want to tell.

Often the comments on a tech story are as interesting and valuable as the story itself and this was no exception.

It's just another reminder that The Cloud is just someone else's computer. And if they decide to change the rules around using their computer, then you either have to suck it up and accept it, or to try and pull back in all your data yourself. Neither of which is usually an easy or pleasant experience...
Good advice.

Turns out, there's even a t-shirt for this!


Get yours now!

Sunday, July 18, 2021

I'm STUNed

My router (Asus RT-AC68R) has a nice traffic monitor screen. I check it regularly. One day I noticed that an iPhone had a large amount of traffic attributed to STUN.


Off I went to figure out what STUN was.

It turns out that STUN stands for Session Traversal Utilities for NAT. Interestingly, STUN messages are sent in the lower overhead User Datagram Protocol (UDP) packets, not Transmission Control Protocol (TCP).

Still, what on the iPhone was using STUN?


Here's Apple's chart of port usage that calls out STUN.

Check off that we've learned something today.

Sunday, July 11, 2021

Nearby Share

One iOS feature that I really like is AirDrop. A recent article (archive.is) in Winaero explained a similar Windows 10 feature called Nearby Share.
Nearby Share in Windows 10 allows transferring files between files within the same network. It is a great and somewhat underrated feature that will let you ditch third-party sharing apps and slow USB thumb drives. Being integrated into the OS, Nearby Share ensures the best compatibility with almost any Windows 10 device.
I would add that it is pretty much unknown, even by a geek like me.

You need relatively recent version of Windows 10, e.g. 1803 or later. You also need Bluetooth enabled and having the 2 PCs on the same Wi-Fi network increases the speed of transfer.

To use Nearby Share, on both systems go to Settings > System > Shared Experiences and turn on Nearby Sharing.

To share a file, right click on a file in Windows Explorer and chose "Share".


You'll get a dialog showing the receiving system. Click on it.


You'll get this notification on the sending system.


On the receiving system, you'll get this notification.


Nice!



Sunday, July 04, 2021

Application Layer Gateways - Part III

In Part II, I discussed how certain applications are allowed to "tweak" the router so that traffic to different incoming ports is allowed.
This post is the final part of this discussion (at least for now).

Again, I will reference Steve Gibson's Security Now podcast, this time episode 804.

In this episode, Steve describes how a NAT slipstreaming attack allows a remote attacker to trick the NAT into creating NAT traversal mappings to ANY device on the internal network,

This isn't good.

Armis discovered that routers' Application Layer Gateways (ALGs) have even more issues.
WebRTC TURN (Traversal Using Relay around NAT) connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.

These TURN connections are used by H.323, a VoIP protocol similar to SIP.

So what to do? I repeat the recommendation at the end of Part II. In your router, turn off as many of the ALG passthroughs that you can.

Good luck if you're using H.323.

Sunday, June 27, 2021

Windows 10 21H1 Enablement Package

I wrote about how I had forced the upgrade to Windows 10 21H1 in a previous post. I did it the hard way and suffered the consequences. That post described the cleanup I had to do.

Well, I came across another laptop that hadn't/wouldn't upgrade to 21H1. I didn't want to take the hard way again.

If a PC automatically offers 21H1, the installation is QUICK. So I set out to find how to force that laptop to upgrade in the same manner as if it were automatically offered.

And I found it.

It seems that 21H1's functions were actually delivered in previous months cumulative updates. The "Feature Upgrade" that is automatically offered just flips some registry switches and reboots.

That "Feature Upgrade" is simply KB5000736, an enablement package. This enablement package is only available for devices running versions 20H2 and 2004.

If you have a device that isn't offering 21H1, just download KB5000736 (64-bit) and run it. Incidentally, when I clicked on that link, nothing happened. I had to right click and choose "Copy link address" and then paste that link into another browser tab.


Enjoy!

Sunday, June 20, 2021

Happy 40th Birthday 8086

June 8, 2021 was the 40th anniversary of the Intel 8086 microprocessor chip. Today it's usually called the x86 chip.

https://commons.wikimedia.org/wiki/File:Ic-photo-Intel--D8086--%288086-CPU%29.png

Here's an article on its history.

I worked in IT during those 40 years and have a few thoughts.

In the 1990s, there were several competing architectures in the enterprise realm. I especially recall DEC's Alpha and Sun's SPARC. The less said about IBM's PowerPC the better. It took me some Googling to even remember what HP's processor was. And nobody remembers Intel's Itanium. HP went all in on Itanium and look where that got them.

But these architectures locked an organization into a specific vendor. We went through a huge and expensive migration of our SAP systems from PowerPC to SPARC.

During that effort, my architect and I pushed the vendors to propose a mixed environment, i.e. proprietary processors for database servers and commodity processors (x86) for application servers.

None of the vendors would play. We ended up going with SPARC, but in the end, the battle was lost to Intel's x86 architecture.

Ironically, this success wasn't attributable to Intel but AMD.

One of the advantages that SPARC brought us was the ability to move to 64-bit architecture for our database servers. That made orders of magnitude improvements in our I/O response times.

At that time, Intel didn't support 64-bit on x86.

AMD came along and implemented a 64-bit architecture on top of Intel's x86 code. That is known as x64 and has conquered the world.

Intel played catch-up and eventually implemented x64 and, as they say, "The rest is history."

But the fat lady hasn't sung yet.

Sunday, June 13, 2021

Exchange in the Tank

This article came up in my feed recently:


This noted that the Microsoft Exchange admin portal was down after Microsoft forgot to renew the SSL certificate for the website.


That sounded familiar to me so I went back and searched my blog.

Bingo!


In that case Microsoft tweeted:
As Yogi Berra said:
It's déjà vu all over again.

Apparently Microsoft didn't take my advice:

Maybe they should have put a reminder on their Outlook calendar. 

Sunday, June 06, 2021

Windows.old

I know I'm not your normal user. I try things so you don't have to.

Recently I forced the installation of Windows 10 21H1 on my ThinkPad. To do this, I downloaded the Windows Update Assistant and ran it.

Don't try this at home.

Unlike the upgrade from the Windows Update app, this process does a FULL Windows 10 update.

But it all went well. It took a long time unlike using the Windows Update app but worked fine.

Then a week later, I was poking around in my C: drive. (You do this, don't you?)

I found several folders that I wasn't expecting:

$GetCurrent - 4.23 GB
Windows10Upgrade - 3.62 GB
Windows.old - 25.6 GB (that's not a typo)



Those weren't really a problem on my HD but still that's over 33GB of space.

Surely Windows 10 would clean those up. Some of them are supposed to be cleaned up 30 10 days after the upgrade. That period had not lapsed.

Windows 10 has a Storage Sense feature that has an option to "Delete previous versions of Windows".


I ran that and it reported that it cleaned up 17.4 GB by deleting Windows.old. That's a nice start.

Now you ask why did it only clean up 17.4 GB if Windows File Explorer said that Windows.old was 25.6 GB? Read this until your head hurts.

Windows 10 Forums said that uninstalling the Windows Update Assistant will delete the Windows10Upgrade folder. I uninstalled the Windows Update Assistant and the Windows10Upgrade folder was gone.

How-To Geek said that the $GetCurrent folder can be deleted but should be deleted automatically. After 10 days, its size was only 181 KB.

Sunday, May 30, 2021

Microsoft Aggressive Updates

In several of Microsoft's recent updates, e.g. Windows 10 21H1 update, when the system reboots the user is presented with aggressive fullscreen dialogs.

Here is what I saw on one of my systems and how I recommend that you respond.


"Your device needs to connect to a few more Microsoft services ..."

No, it doesn't "need" to connect. Ignore everything and click on "Continue".


"Use recommended browser settings"

No. Click on "Don't update your browser settings" and then click on "Apply Settings".


"Sign in with Microsoft"

Again, no. Click on "Cancel".

Give it up, Microsoft.

Sunday, May 23, 2021

Saleforce's Circular Dependency

I follow cloud vendors' outages. Broadly, I believe that cloud vendors can deliver higher availability than most SMBs can do themselves. Enterprises are a different discussion.

But I always get a kick of looking at various cloud vendors post mortem reports (archive.is).

Recently Salesforce had a DNS outage. Like other vendors, e.g. Microsoft, the Salesforce outage even took down their status page!
And look at the spin they tried to put on it.
"We're not blaming one employee," said Chief Availability Officer Darryn Dieken.
And then they threw him under the bus.
"For whatever reason that we don't understand, the employee decided to do a global deployment," Dieken went on.
They don't understand?

But wait, there's more...
"In this case," he went on, "we found a circular dependency where the tool that we use to get into production had a dependency on the DNS servers being active."
 
If you're going to run a cloud service, you've GOT to design to avoid these kinds of problems.

Sunday, May 16, 2021

Amazon Photos

Sorry, but this is just a rant. I'm an Amazon Prime user. I have several Amazon Echos. On the Echos, I have the display set to play a slideshow of photos from Amazon Photos.

That has been working fine until 05/11/21. The Echo Show 5 started only displaying the weather, no photos. I poked around in the settings and confirmed that I had the display set to show my photos, the weather, and upcoming calendar events.

Amazon has a tacky habit of silently turning on other features but this time that hadn't happened. So I navigated to re-select the Amazon Photos album to use as a slideshow.

I got a screen that prompted me to sign up for Amazon Photos. But, I already had that capability with Amazon Prime.

I went to my Echo Show 8 HD. It was showing the slideshow. Just for fun, I navigated to re-select the Amazon Photos album to use as a slideshow.

BINGO, I got a screen that prompted me to sign up for Amazon Photos in spite of the slideshow working just fine.

Ok, so I went an logged into the web interface of Amazon Photos. Every time I tried to access an album I got a message that there had been an error and I should try again later.

By then, I was really confused. My next 2 routes were to 1) factory reset my Echo Show 5 or 2) call Amazon for support. Neither seemed particularly likely to resolve the problem.

So I ignored it for a couple of days.

Then on 05/13/21 I got an e-mail from Amazon saying:


Putting that ANYWHERE earlier would have been very valuable to me.

Sunday, May 09, 2021

Reload Windows on Your New PCs

Now, Dell is not my favorite PC vendor. It probably has something to do with the smoke that came out of my coworker's office as her new Dell laptop burned up.

But I'm not going to jump on Dell in this post. You can do whatever you want.

This post is about what you should do as soon as you buy a new PC.

But first, I will mention what cranked me up on this.

Since 2009, Dell has been distributing "nice" utilities on all of its PCs that updated their firmware. These packages were variously called Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags.

The problem is that these packages installed Dell's DBUtil.


In December 2020, SentinelOne notified Dell of five vulnerabilities in this utility.

DARKReading described it:
The bugs give adversaries a way to bypass security products, wipe a hard drive, or install a malicious driver on a domain controller. "The attacker is effectively the system administrator."
What I don't want to do is suggest that this is exclusive to Dell. Lenovo has had similar issues on its products.

So, what should you do?

Format and reload Windows on ANY PC you get before you do ANYTHING with it. Get the bits from Microsoft here. Don't worry. Windows Update will install all the drivers that you need. You'll save significant disk space and won't have any bloat-ware the vendor installed.

You can thank me later.

Sunday, May 02, 2021

iOS 14.5 Fake News

Now that I've got your attention, iOS 14.5 really isn't "Fake News." It's just that the news around it was so over-hyped.

Here are a few headlines from early April:

iOS 14.5 is making the biggest change to apps in years - here's how
Apple Now Rejecting App Updates That Defy iOS 14.5 App Tracking Transparency Rules
Apple reminds developers to prepare for App Tracking Transparency ahead of iOS 14.5 release

Then iOS 14.5 was released on 04/26/21.

I approached it cautiously. First on my iPhone, then my iPad, then my iPad Mini, ...

But I haven't seen any of these predicted pop-ups.

Why?

Business Insider has a good explanation here.
However, some people who've updated to iOS 14.5 haven't seen any permission pop-ups.

Mobile-advertising experts suggested three possible reasons. 

1. The 'allow apps to request to track' privacy setting is toggled off
2. Some users might not have the option to toggle 'allow apps to request to track' on
3. Some apps haven't rolled out the prompt yet
What should YOU do?

Go ahead and install iOS 14.5. Then go to Settings, then Privacy, then Tracking. Make sure the slide for "Allow Apps to Request to Track" is to the left.


That'll turn off all of those pop-ups.


Sunday, April 25, 2021

Building Data Centers

Have you ever built a data center?

In my 40+ year career, I've probably been involved in building around 10 data centers.

Then this article was mentioned in Windows Weekly episode 721.



Wow!

Microsoft currently operates more than 200 data centers. Think of the logistics of building 50-100 data centers each year! I'd guess there would have to be 10-20 people dedicated to each project not to mention the expenditures.

After each data center is up and running, then you've to facilitate the network connectivity, the power, the operations, etc.

In this article was a link to a virtual tour.

PS. The article mentions that few people ever get to tour Microsoft's physical data centers. I was fortunate enough to tour Microsoft's Redmond facility in the mid-2000s. The thing that made the longest lasting impression on me was a single server they had over in a nook in front of a glass window. They described that as a "generic" server. The idea was that any manufacturer could build a server to those specifications and the hardware would be interchangeable. In hindsight, no manufacturer wanted that as it would be too easy to displace them but the idea eventually manifested as virtual machines that aren't tied to a hardware specification.

Sunday, April 18, 2021

Application Layer Gateways - Part II

In Part I, I discussed Network Address Translation (NAT).
That seems like a good idea and it is.

But...

What if the response doesn't come back on the same PORT as it originated on? Then NAT Port Address Translation (PAT) won't let it through.

How does NAT PAT know what to do?

That's when Application Layer Gateways (ALGs) come into play.

[ALG] allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer ... protocols ...

In Security Now Episode 792, Steve Gibson explains:

The problem is that Application Layer Gateways attempt to be completely transparent to the application protocols they’re proxying for. They’re sitting there in our routers, enabled by default, hidden, powerful, and automatic.

So you say that YOU don't have any of these? Think again.

Here's what my router has:


Even deep in the bowels of a really good router, this is described only as "Enable NAT Passthrough to allow a Virtual Private Network (VPN) connection to pass through the router to the network clients."

Fooled you, didn't it?

Look at that list of applications that are allowed to "tweak" the router so that traffic to different incoming ports is allowed.

Back to Security Now Episode 792, Steve Gibson related that he had gone through and judiciously turned these to "Disable." But then his Verizon femtocell wouldn't work. It needed IPSec.

More in Part III.

Sunday, April 11, 2021

Application Layer Gateways - Part I

This is the first in a series of posts about Application Layer Gateways. But first you have to understand Network Address Translation (NAT).

NAT is what makes your router such a good firewall.

Basically it makes all of your Internet requests look as if they originated from the router, hiding your various devices. But more than that, it only allows incoming packets that are responsive to outgoing packets.

Here's how wikipedia explains it:

[T]he port numbers are changed so that the combination of IP address (within the IP header) and port number (within the Transport Layer header) on the returned packet can be unambiguously mapped to the corresponding private network destination.

By Yangliy at English Wikibooks - Transferred from en.wikibooks to Commons., Public Domain, https://commons.wikimedia.org/w/index.php?curid=61795882

In plain English, every time something is sent out from your network, the router keeps a record of it and will only allow incoming traffic that is responsive to that.

This has 2 benefits. First, the Internet can't see your internal network. All traffic looks like it originated from your router. Second, any non-responsive traffic, e.g. from hackers, is simply disregarded.

Part II will dig another layer deeper.

Sunday, April 04, 2021

Risks of Remote Work

I follow KnowBe4's blog. Recently they covered a white paper by Cybersecurity Insiders.


It raised several issues that I've been worried about since the pandemic hit and everybody went home.

KnowBe4 called out the following key findings:
  • Almost three-quarters of organizations are concerned about the security risks introduced by users working from home; despite these challenges, 86% are likely to continue supporting remote work in the future.
  • Key security challenges cited include user awareness and training (57%), home/public WiFi network security (52%), and sensitive data leaving the perimeter (46%).
  • The applications that organizations are most concerned with securing include, file sharing (68%), the web (47%), video conferencing (45%), and messaging (35%).
  • More than half of organizations see remote work environments having an impact on their compliance posture (70%). GDPR tops the list of compliance mandates (51%).
  • Organizations prioritize human-centric visibility into remote employee activity (34%), followed by next-generation anti-virus and endpoint detection and response (23%), improved network analysis and next-gen firewalls (22%), and Zero Trust Network Access (19%).
How is your organization going to mitigate concerns about continuing remote work?

How is your organization going to mitigate WiFi network security and data exfiltration?

How is your organization going to mitigate file sharing, video conferencing, and messaging?

Keep me posted.

Sunday, March 28, 2021

More Internet Speed Tests

Several years ago, I stumbled across Google's Internet speed test. That prompted me to look at several other Internet speed testing tools. The post is here.

This article on CNET prompted me to look again. CNET had a couple of tools I hadn't heard of before so I ran them against my previous set of tools.


At my house I have a 200Mbps Xfinity connection. I was using my ThinkPad X390 with an Intel(R) Wireless-AC 9560 160MHz Wi-Fi adapter. Intel says that adapter can deliver 1.73Gbps so that probably wasn't a limiting factor.
TestDownload
*Ookla196Mbps
*fast.com200Mbps
*Google Fiber205Mbps
*Google181Mbps
speedof.me215Mbps
testmy.net186Mbps
* were in my earlier test

Conclusion: Mox nix!

The results were much more sensitive to other traffic than the accuracy of the various tests. In my initial tests of speedof.me and testmy.net, they were both around 125Mbps. I retested them and they both came in over 155Mbps. A third test gave the above results.

A more extreme demonstration of interference was at my daughter's house who has a 1Gbps Xfinity connection.

TestDownload
Ookla330Mbps
fast.com150Mbps
Google Fiber91Mbps
Google50Mbps
speedof.me54Mbps
testmy.net83Mbps

I didn't have the opportunity to rerun the tests at this location. In hindsight, there were streaming applications running outside of my control during the testing.

Sunday, March 21, 2021

FastStone Image Viewer

My previous post covered how to restore Windows Photo Viewer. While that worked, I kinda got frustrated that I kept having to do that.

I fell back to my trusty Google search and came up with some alternatives to Windows Photo Viewer.

The article that seemed most on point to me was on Skylum.

#4 on their list was FastStone Image Viewer but it was #1 for me.

I always like portable applications and FastStone has one for their Image Viewer.

I put the portable version in my OneDrive/Software folder so it's available on all my PCs.


Oh, it's free.