How a company can release a product as high profile as the iPhone and not realize there is a major flaw with the antenna design is beyond me.  But I received word today that there is another flaw, not just with the new iPhone, but with iOS4 that can wreak havoc on Exchange servers.

Apparently iOS4 can somehow make your Exchange server stop accepting MAPI sessions from Outlook clients.  Apple is aware of the problem and has released a configuration profile that you need to install on the iPhone.  This is sure to be a pain in the ass for Exchange Admins as employees buy their own iPhones or update their 3G(s) iPhones with the new OS.  Way to go Apple!

Note:  If your Exchange server stops accepting MAPI sessions and you can not get the problem iPhone updated, disabling ActiveSync for the user at the Exchange level should open up MAPI again.


I want to get feedback from folks on this, so comment away.  Over the past six months I have been working with companies going over pro’s and con’s of moving their most critical service(s) off to the “cloud”.  I’m not going to get into the upside and downside here, because it is different for every service and every company.  A concern that has come up with the security folks involved is focused around their reputation and credibility.

One side of the argument is that their reputation is on the line regardless of where the data lives.  They are responsible whether it lives in-house or not.  With that line of thinking they are much more comfortable keeping the data in-house where they can monitor and manage it and everything around it.  Moving their data off to a Google Apps account for example, where they are limited in what they can implement for security policy and monitoring is next to nothing makes them very anxious.  They do not want their credibility as a security professional riding on Google.

The alternate argument is that by having the data in-house there are unrealistic expectations put on their ability to keep the data safe.  Nothing is 100% secure and therefore it is just a matter of time until it gets breached at which point they will lose a lot of credibility.  Moving it offsite, lets pick on Google again, seems like a great idea because if there is a breach they can stand back and say “Not my fault” because securing that data is no longer their responsibility.  The obvious thought there is that they can not be blamed for someone else’s mistake or lack of control.

Camp1 thinks that they are getting thrown under the bus the first time Google has a breach.  Camp2 thinks they will be driving the bus over Google when the SHTF.

I’ll save my thoughts on this until after people comment.  What do you think?


Feeling guilty


After reading Rich Mogull’s post at Securosis I couldn’t help but feel guilty for not blogging in AGES.  Rich’s blog is one of the reasons I got into blogging myself and as he states it allowed me the opportunity to meet people I otherwise wouldn’t have.  Twitter came along and has taken a big chunk out of blogging, not only writing, but reading as well.   Is Twitter a replacement for blogging, it shouldn’t be, but it is a lot easier.  I never had any deep technical posts so can only imagine the work that the smart folks put into their posts.  😉

For the most part I have been staying off the radar lately.  As mom used to say, if you don’t have anything nice to say…..

Disenchanted would probably best describe my current feeling toward security.  Dealing with internal policy stuff has been tough, and talking with external companies has been even worse.  I used to think that people made bad decisions focused around security just based on their lack of knowledge surrounding it.  Given the proper information I believed that people would make sound decisions around the security of their information.  I’m not so sure about that anymore.

Whether it is a start-up or an established company it seems like no one cares about security.  I was talking with a CEO of an established company about their decision to move their messaging and document management to Google Apps.  I asked some questions about how they are dealing with certain security concerns and his response was “We never really thought about that.”  So then I described them more in depth to give him the information they didn’t think about and his response was “Well we don’t have anything important in email so if someone gains access it isn’t a big deal.”  I don’t know about you, but I can’t think of anyone that would be happy to find out their email was breached.  People don’t realize the amount of confidential information they handle on a regular basis…until it bites them in the ass.

Unfortunately this is not the only person with this attitude that I have been dealing with.  People, including but not limited to the decision makers, just don’t seem to care about security.  Make it available, make it easy, hope the odds are in our favor that it won’t happen to us.

I’m whining…I know…I’ll stop now.  A more uplifting post will come soon, promise.


I got roped into helping a company test their video conferencing equipment the other day.  They are in Colorado so this was all over the phone, fun times for sure.  A network engineer from the video company that sells and configures these systems was on the phone with me to do the test.  I figured this should go pretty smooth since I have a Network Engineer from the video company in the loop.  Think again.

The system wasn’t working, all signs pointed to network issues.  He checked the IP settings and according to him they “looked right”, it was a public IP address.  I asked if the unit was actually sitting outside the firewall to which he responded yes.  We troubleshot a few more things before I asked if he was sure it was outside the firewall, again he said yes.  After another 20 minutes of him changing cables and rebooting shit I asked him to humor me and plug his laptop into the wall jack where the video system is connected so I can see what he is getting for an address.  It was a private IP address.  Sigh.

Ok, maybe it wasn’t his fault, maybe someone switched ports on him or something.  So I tell him that’s why it isn’t working.  He tells me it doesn’t matter.  WHAT!?  He set a static public IP settings on the system and it is sitting on the local LAN and he thinks it doesn’t matter.  Please explain to me why you think it doesn’t matter whether or not your system can route to any other networks, this I have got to hear.  He these systems don’t care if they are behind a firewall or not, they just work.  I had to spend the next 15 minutes explaining to him why that is not going to work.    He still did not agree and told me it doesn’t matter what he puts in for an IP address, the system will figure it out.  I thought for a moment like the guy was just messing with me, maybe I was being Punk’d or something….but unfortunately he just didn’t understand networking.  I tried to humor him a little longer but when he started explaining to me that the Internet is like a cloud and their systems can talk to any other systems in the cloud regardless of where they are I had to call it quits.

I’m not sure how this Network Engineer got his title, but he wasn’t deserving of it.


Me no hungry


I don’t know how those of you who blog on a regular basis do it. Props to you for the constant effort and dedication, I just can’t keep up. Things are good with me, been busy with planned projects but even busier with unplanned projects that seem to have appeared from nowhere.

Here is a funny little story I thought I’d share with you. I am fortunate to work for a company that provides lunch for the employees every day. Yes, every day they have lunch brought into the office for us, it is an awesome benefit for sure. Recently they decided to change things up a bit and give us the option to order our own individual lunch. Great idea, if you are in the office you can log into a website where you are given a list of local restaurants, choose what you want from any restaurant and it will be delivered with your name on it. You are allowed a certain dollar amount to spend, and if you go over that you pay the difference. Can’t beat that deal right….or can you?

I decided to have some fun with the system, with permission of course. What types of things can I do to this system, let the fun begin! I was thinking of all the different types of attacks that I could use to beat the system, each one becoming more complicated than the next. Then I sat back and thought for a minute….why over analyze the situation. I decided that before digging in on a technical level lets just try some default passwords. BINGO!!!

Before you could say enchilada I was able to gain admin access, make myself an admin, give myself a $1000 daily food limit, create new employee accounts, etc. The next day I ordered food for a bunch of us on my account to see if it raised any red flags…it didn’t. Then I decided to order on behalf of an employee that doesn’t exist and see if that raised any red flags….it didn’t. I mean come on, an employee named “Fat Guy” ordering family size portions of cannoli’s and cheesecake should at least draw a little attention. The fun went on for a few days and needless to say we all ate pretty well that week. 😉